- Vaccine Service – Privacy Notice
Vaccine Service – Privacy Notice
PRIVACY NOTICE – VACCINE MANAGEMENT SYSTEM (for COVID-19 and Flu)
The Department of Health (DoH) circular HSS(MD)82/2020 ‘Deployment of the COVID-19 Vaccine in Northern Ireland’ (7 December 2020) sets out the public health measures to be put in place to help contain and reduce the spread of COVID-19 by the administration of COVID-19 vaccinations to the Northern Ireland population.
The Department of Health (DoH), along with support from HSC Trusts, General Medical Services including Community Pharmacies and Public Health Agency (PHA) are responsible for the implementation of the NI COVID-19 Vaccination and Seasonal Flu Programmes. PHA is primarily responsible for flu vaccination of 12-15 year olds in school settings.
The Health & Social Care Board (HSCB) and PHA are responsible for the Vaccine Management System (VMS) where COVID-19 vaccine (including booster doses) and Flu vaccine records from 2021 will be stored.
This privacy notice describes the type of personal data collected and held for both the COVID-19 Vaccination and Flu vaccine Programmes on the Vaccine Management System (VMS) for Northern Ireland, the way that your data is used and your rights in respect of this.
2. COVID-19 Vaccination Programme
The COVID-19 Vaccination Programme is designed to enable the population of Northern Ireland to access COVID-19 vaccinations to develop immunity to the SARS-CoV-2 virus.
The Joint Committee on Vaccination and Immunisation (JCVI) has set out a prioritisation for persons at risk. JCVI ranked the eligible groups according to risk, largely based on prevention of COVID-19-specific mortality. Further information on the phasing of vaccinations for particular groups of the population will be advised by JCVI and DoH and will be published by the PHA here.
The COVID 19 vaccine will be administered by registered clinical staff trained in vaccination procedures.
All SMS and email appointment confirmation and reminder messages come from HSC vaccine to the mobile or email address supplied at booking.
If you use the online system you will receive confirmation of your appointment bookings and reminders of your appointments either by email or text SMS. For those residents in nursing and residential care no booking will be required as mobile teams of vaccination staff will visit individuals at home on a set day.
Further information on the NI COVID-19 Vaccination Programme can be found at: COVID-19 Vaccination Programme questions and answers | HSC Public Health Agency (hscni.net)
3. The Flu Vaccination Programme
Seasonal changes in the influenza (flu) virus occur and it is for this reason that annual vaccination against flu is recommended in certain groups who are either at risk of the complications of flu, or at risk of passing flu on to people at risk of developing complications. Every year the Chief Medical Officer in Northern Ireland issues a letter outlining who is eligible to receive the flu vaccine under the seasonal influenza programme.
Flu immunisation is one of the most effective interventions healthcare can provide to reduce harm from flu and pressures on health and social care services during the winter. It is important to increase flu vaccine uptake in clinical risk groups because of increased risk of death and serious illness if people in these groups catch flu.
In previous years only around half of patients under 65 years in clinical risk groups have been vaccinated. Influenza during pregnancy may be associated with increased risk of infant death before or after birth prematurity, smaller neonatal size, lower birth weight and increased risk of complications for mothers.
Vaccination of health and social care workers protects them and reduces the risk of spreading flu to their patients, service users, colleagues, and family members. In addition, by preventing flu infection through vaccination, secondary bacterial infections such as pneumonia are prevented. This year high uptake of flu vaccine is even more crucial than ever. Those most at risk from flu are also the most vulnerable to COVID-19 related morbidity and mortality. There is evidence that co-infection of COVID-19 and flu can increase mortality.
From 2021 the PHA will use the VMS to record flu vaccinations. Capturing flu vaccination data on the VMS simplifies the effort required by GPs to capture the information, thus saving them time, and allowing them to treat more patients.
4. Why are you processing my personal information?
The HSCB and PHA are joint data controllers for the personal data held by the Vaccination Management System (VMS), under the Data Protection Legislation, which includes UK General Data Protection Regulation (GDPR) and UK Data Protection Act 2018. Your personal information is used for the following purposes:
- confirming the appointment at your GP, Community Pharmacist or regional vaccination centre (if that is where you are having your vaccination)
- performing a security and ID verification at the vaccination centre for COVID-19 vaccinations
- processing your vaccination
- sharing the details of your vaccination with your GP
- sharing the details of your vaccination if you request a COVID-19 certificate (see separate Privacy Notice for Covid Certification Service (CCS)).
- undertaking quality assurance of the vaccination process including clinical procedure and patient data entry in VMS
- analysis to support operational decisions to improve the full end-to-end vaccination process, such as:
- day-to-day use, for example whether someone attended their appointment;
- to inform regional vaccination centres of improvements to the vaccination process, for example to manage capacity or follow up on serious adverse effects;
- support end-to-end logistics planning;
- observation to identify trends in the uptake, efficacy and effectiveness of both the flu and COVID-19 vaccines.
Identifiable data will be used by the PHA from the VMS for health protection purposes and for reports and the production of official statistics. Anonymised information gathered also helps to inform DoH policy.
Disease observation and monitoring is a core public health function of the PHA. Health bodies need to make sure they have the right information available to them at the right time to inform decisions and actions across the public health system. This helps the PHA to control the spread of COVID and reduce the impacts of flu.
Observation involves gathering a wide variety of anonymised data about a disease from a range of sources, to provide us with situational awareness. This also applies to the uptake of COVID-19 and flu vaccinations. This is then used to inform public health action to help prevent and control both diseases. This will also allow data linkage with other datasets to monitor the impact of COVID-19 on health services e.g. in-patient admissions, intensive care admissions, long COVID.
5. What information is collected?
Data to be collected
When you book your vaccine appointment you will be asked to provide the following information:
- First name
- Family name (last name)
- Date of birth
- Health and Care Number (this can be found on any letter from HSC, any prescription or medical care)
- Contact telephone number
- Email address
- GP name and practice
At the vaccination appointment the following information will be collected and added to the vaccine management system
- Date of vaccination
- Dose number
- Batch numbers for each vaccine
- Any conditions you may have that are considered high risk
- Your pregnancy status
For people employed in health and social care additional information will be collected for those being administered a COVID vaccine:
- Place of work
- Job role
- Staff Number
- RQIA home code
For vaccinations administered in nursing homes where the online booking has not been required the demographic details will be collected at the time of vaccination.
For COVID-19 vaccines you may also be asked to provide some additional information about yourself when you attend for vaccinations by the person vaccinating you, for example confirmation you have no symptoms or other reasons why you may have to defer your vaccination.
Flu vaccination data will be shared by the VMS with the PHA for the purposes of managing flu vaccine efficacy, effectiveness and for population health management.
Please note that both Flu and COVID-19 Vaccination Programmes will never:
- Disclose any personal or health/medical information provided by you to anyone other than the PHA, your GP practice patient record system or the processors listed in Annex A. Additionally, for Health and Social Care (HSC) staff, Occupational Health will hold a record of your vaccination; anonymised data will be shared with HSC employers as management reports on vaccine uptake.
- Ask you to dial a premium rate number (for example, those starting 09 or 087) to speak to us;
- Ask you to make any form of payment or purchase a product of any kind;
- Ask for any details about your bank account;
- Ask for your social media identities or login details, or those of your contacts;
- Ask for any passwords or PINs, or ask you to set up any passwords or PINs over the phone;
- Ask you to download any software to your PC or ask you to hand over control of your PC, smartphone or tablet to anyone else;
- Ask you to access any website or smartphone application that does not belong to the Government, or HSC.
6. The lawful basis for processing your personal information
The lawful basis for processing your personal information according to the UK GDPR and Data Protection Act 2018 is:
- UK GDPR Article 6(1)(e) – the processing is necessary for the performance of its official tasks carried out in the public interest in providing and managing a health service.
The HSCB is a statutory organisation that arranges or ‘commissions’ health and social care services for the population of Northern Ireland. The HSCB are accountable to the health minister, for turning their vision for health and social care into a range of services that deliver high quality and safe outcomes for patient and service users, are good value for the taxpayer, and comply with statutory duties.
Under the Health and Social Care (Reform) Act (Northern Ireland) 2009 the Regional Board shall exercise on behalf of the Department functions of the Department (including functions imposed under an order of any court) with respect to the administration of health and social care as the Department may direct.
The PHA Health Protection Team provides strategic oversight and coordination of the implementation and ongoing delivery of regional vaccination programmes; provision of resources for health professionals and the public; interventions to improve uptake; disease and vaccine coverage surveillance; investigation, and management of cases, outbreaks and other immunisation incidents; and provision of expert advice to policy makers, commissioners, providers and the public.
In this instance the public task relates to the functions of the Public Health Agency which the Agency exercises on behalf of the Department of Health for:
(a) the health improvement functions mentioned in subsection (2);
(b) the health protection functions mentioned in subsection (3); and
(c) obtaining and analysis of data and other information in subsection (4).
as outlined in the Health and Social Care (Reform) Act (Northern Ireland), 2009, section 13.
The data collected on the Vaccination Management System includes personal data. Some of this data relates to health data which is described as ‘special category data’. In relation to that processing, the following UK GDPR conditions apply:
- Article 9(2)(h) – the processing is necessary for medical diagnosis, the provision of health treatment and management of a health and social care system.
- Article 9(2)(i) – the processing is necessary for reasons of public interest in the area of public health.
- Article 9(2)(j) – the processing is necessary for archiving purposes in public interest – scientific/historical research purposes.
- Data Protection Act 2018 Schedule 1, Part 1 (2) – Health or Social Care Purposes
- Data Protection Act 2018 – Schedule 1, Part 1 (3) – reasons of public interest in the area of public health
- Data Protection Act 2018 – Schedule 1, Part 1 (4) – reasons of public interest in the area of public health research.
7. How will my data be processed?
Under UK GDPR Article 5(1)(f) all data will be processed in a manner that ensures appropriate security of your personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
The Vaccination Management System is hosted in the secure isolated cloud storage solution provided by Microsoft within the UK. Data is processed within the secure HSCNI network. Access to the systems is restricted and governed by firewalls and only known authorised user accounts can gain access. All data processors involved in the processing of your data are listed at Annex A and their processing is governed by UK GDPR compliant contracts, agreements, and/or MoUs.
8. Do I need to give my consent?
No, the data is obtained on the lawful basis of public interest (as outlined in section 5 above) and therefore consent is not required.
9. Where do you get my personal data from?
Much of the data we use will have been provided directly by you, when you book your COVID-19 or Flu vaccination appointments (or by someone who booked it on your behalf) and from clinical data entered into the system at the time of your vaccination. Data on other medical conditions you may have will come from other Health and Social Care (HSC) systems including GP records.
The Vaccine Management System will receive data directly from:
- Information you provide when booking your appointment and when attending for your vaccination;
- GP Clinical Systems when they administer your vaccine or booster
- Community Pharmacy Systems when they administer your vaccine or booster.
All SMS and email appointment confirmation and reminder messages come from HSC vaccine to the mobile or email address supplied at booking for COIVD vaccinations. If attending your GP or a pharmacy for vaccination they will provide this information to you personally.
10. Do you share my personal data with anyone else?
Yes. To help us provide the best service for you, we will share the record of your vaccination(s) with your GP, through a secure transfer of digital data to your GP patient record system.
Your data will also be shared with the data processors listed at Annex A for the purposes of the delivery of the VMS.
For HSC staff, the record of your vaccination will also be shared with Occupational Health. Anonymised data will be shared with HSC employers as management reports on vaccine uptake.
Information in the form of anonymised, aggregated data is also shared with the Department of Health in Northern Ireland for the purposes of COVID-19 monitoring.
11. Do you transfer my personal data to other countries?
If you have received your vaccine in England, Scotland or Wales but are registered with a GP in Northern Ireland; if you have received your vaccine in Northern Ireland but are registered with a GP in another UK jurisdiction, VMS will securely transfer your records to your GP practice.
Non identifiable and aggregated data is shared with other countries in line with International Health Regulations (2005) part VIII, Article 45, Treatment of Personal Data, such as Public Health England for the purposes of UK national vaccination surveillance.
12. How long do you keep my personal data?
We will only retain your data for as long as necessary, in line with our Retention and Disposal Schedule and specific guidance issued by the Department of Health in Northern Ireland (Good Management, Good Records) which can be found here.
13. What rights do I have?
- We provide information on the collection and use of your personal information, through this Privacy Notice, the Data Protection Impact Assessment, and through a range of public information on the PHA website. COVID-19 Vaccination Programme questions and answers | HSC Public Health Agency (hscni.net)
- We only hold information about you that we need. You can ask for copies of the information that we hold about you;
- You can ask us to make changes to information we hold about you if you think that it is wrong.
- As the data collected in the Vaccine Management System form part of your clinical record, the right to erasure is partial and only applies to erasure of pieces of information no longer required by the HSC during provision of treatment.
- You can ask us to stop processing information about you, however this will not always be possible as information will still need to be processed for the purpose of your clinical care and public health protection.
- Other than for the planned transfer of your data to your GP record, it will not be possible to transfer your data to another organisation if requested.
- If you are not happy with what we do with the information we hold about you, you can speak to us about this.
- We use computers to hold and look at your information, but we do not use automated individual decision-making.
If you want more detailed information on these rights, this can be found on the ICO website, at: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/
If you wish to ask us about any of these rights please contact the Data Protection Officers (see email addresses below)
14. How do I complain if I am not happy?
If you are unhappy with any aspect of this privacy notice, or with how your personal information is being processed, please contact the Data Protection Officers at the following address:
HSCB Data Protection Officer:
PHA Data Protection Officer:
Should you have any concerns about how your data has been handled or remain dissatisfied with any response regarding the processing of your personal data, you can raise these concerns with the ICO, as follows:
Information Commissioner’s Office
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK0 5AF
Tel: 0303 123 1113
Changes to this Privacy Notice
This Privacy Notice will be kept under regular review and any updates will be placed on our website.
Annex A – Data Controllers and Processors
All data processors are appointed under Data Processors Agreements in compliance with Article 28 of the UK GDPR, either via UK GDPR compliant contracts, or Memorandum of Understanding (MoU).
Under the terms of these arrangements HSCB is the data controller responsible for assessing that all processors listed below are competent to process personal data in line with UK GDPR requirements. This assessment will consider the nature of the processing and the risks to the data subjects.
Under Article 28(1) HSCB will ensure that only processors that can provide “sufficient guarantees” (in terms of its expert knowledge, resources, and reliability) to implement appropriate technical and organisational measures to ensure the processing complies with the UK GDPR and protects the rights of individuals. Contracts or Memorandum of Understanding (MoUs) will be in place to govern relationships with the data processors, which set out the obligations of each party and the data controllers’ obligations and rights regarding the data that is being processed. All contracts adhere to established BSO Procurement and Logistics Services (PaLs) processes and legal input provided by BSO Department of Legal Services (DLS).
All data processing takes place within the UK area and as such is subject to legislation in the form of the UK – GDPR.
The following provides a list of joint data controllers involved in delivery of the system.
- Public Health Agency was established in 2009 and is an Agency within NI whose role is to improve health and social wellbeing and oversee public health protection managing vaccination programmes (outside COVID-19).
- HSCB (Health and Social Care Board) is a statutory organisation responsible for providing health care services, including COVID-19 vaccination service.
The following provides a list of data processors involved in delivery of the system.
- Kainos is a system integrator providing VMS platform for storage and processing of vaccination records
- APTVision are medical systems software development company chosen to develop the VMS booking and scheduling platform and are responsible for the configuration of the booking system and interim VMS database. They are regarded as a processor contracted by HSCB. APTVision will provide support on an ongoing basis to the VMS booking system for the duration of its operation, as part of their contract. Their services are delivered via UK GDPR compliant G-Cloud contracts.
- BigMotive are software development company who were chosen to develop the VMS user interface and are responsible for the configuration of the VMS webforms and are regarded as a processor contracted by the HSCB. BigMotive will provide support for user experience (UX) design on an ongoing basis to HSCNI for the duration of the VMS operation, as part of their contract. Their services are delivered via UK GDPR compliant contracts.
- Business Services Organisation (BSO) is a statutory organisation providing services as a data processor for HSCB and PHA. BSO are responsible for monitoring and managing all Microsoft contracts as commissioned and monitored by HSCB and PHA. They are responsible for all VMS environments user access and provision of new user hardware (PC and phones). BSO ITS are responsible for the supply and maintenance of user hardware. PHA and HSCB have overarching SLAs with the BSO for services including ITS. Their services are managed via appropriate agreements with PHA and HSCB.
- Belfast Health and Social Care Trust (BHSCT). BHSCT is a statutory organisation providing VMS services as a processor for HSCB and PHA. BHSCT host the VMS application on their infrastructure. Their services are managed via appropriate agreements with HSCB and PHA.
- Microsoft are responsible for, within the Microsoft Azure environment including the Dynamic 365 environment, software upgrades, security patching and updates for the Vaccine Management System; these are published via MS Office 365 portal that BSO ITS have access to.
 This refers to the processing that is necessary for the performance of the official tasks carried out in the public interest in providing and managing a health service.
 Department of Health