Transparency data

NHS COVID-19 vaccine booking service: transparency notice

Updated 14 May 2021

1. Introduction

The Secretary of State for Health, acting through its Executive Agency, Public Health England, has commissioned the provision of a vaccine helpline to support members of the public, their representatives and health care providers in matters relating to the provision of COVID-19 vaccines, as and when they become available, together with related support and advice. Public Health England is an Executive Agency of the Department of Health and Social Care (DHSC).

The COVID-19 vaccine helpline is a temporary service which has been rapidly mobilised as a part of the UK’s national response to the COVID-19 pandemic emergency. It is currently envisaged that this service will transition to, or be replaced by, a different and/or permanent service once the emergency aspects of the COVID-19 pandemic reduce to a lower, less critical level.

A telephony service has been commissioned to allow the public to make vaccine bookings over the telephone. The call agent will access the online vaccine booking tool, the National Booking Service, to make the booking on behalf of the caller. In addition, the service will answer any questions the caller has about the COVID-19 vaccination.

The DHSC and NHS England and Improvement are operating as Joint Controllers under data protection law to deliver the COVID-19 vaccine service.

2. Contact details of the Data Protection Officers

The appointed Data Protection Officers as required under the UK GDPR and the Data Protection Act 2018 are as follows, however if you wish to exercise any of your data protection rights, contact us at england.dpo@nhs.net

Lee Cramp, Data Protection Officer
Department of Health and Social Care (DHSC)
39 Victoria Street
London
SW1H 0EU

Email: data_protection@dhsc.gov.uk

Carol Mitchell, Data Protection Officer
NHS England and Improvement
Quarry House
Quarry Hill
Leeds
LS2 7UE

Email: england.dpo@nhs.net

3. Purposes of processing your personal data including health information

We process your personal data for the following purposes:

1. Administration of COVID-19 vaccination bookings

2. Compliments and complaints

3. Service planning and forecasting

4. Quality assurance

  • calls will be recorded and monitored for quality and safety purposes to maintain service delivery standards

5. Medical and scientific research (by Public Health England, Executive Agency of DHSC)

6. Clinical governance

7. Miscellaneous purposes

  • to update guidance provided to callers, for example ‘Questions and Answers’ (Q and A)
  • ombudsman requirements
  • non-clinical auditing
  • fulfilment of any legal obligation placed upon the organisation(s)

The legal basis for processing your personal data is:

“processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller” (as set out in Article 6(1)(e), UK GDPR)

and

“processing is necessary for the purposes of preventative or occupational medicine,…the provision of health or social care or treatment or the management of health or social care systems and services on the basis of law” (as set out in full in Article 9(2)(h), UK GDPR)

This legal basis includes public health tasks and delivery of this service.

5. Categories of personal data provided during the booking process

We process the following categories of personal data (highlighted in bold below), together with examples of the types of personal data processed included within each category:

1. Contact information:

  • addresses, telephone numbers, e-mail addresses, contact details for your GP/health care professional

2. Identification information: date of birth, NHS number, proof of attorney/ guardianship

3. Health information:

  • relevant medical history including but not limited to past vaccinations, allergies, medications, any COVID-19 symptoms (from your Summary Care Records)

4. Occupation/work sector:

  • job title, role, name/type of employer, industry

5. Call recording:

  • audio files, call transcripts

6. Compliments and complaints information:

  • contact details, nature of issue/concern

7. Miscellaneous information:

  • may include any of the above and/or additional information to fulfil and respond to any legal obligations, data protection requests, legal disputes and/or public reporting

Some of the above categories may also contain data that is described as special category data, for example health information

6. Categories of recipients of your personal data

We will only share your personal data with those that have a valid ‘need to know’ reason to fulfil their role for the purpose of delivering this service. Individuals will only be given access to the part of your personal data that is needed to perform their role to maintain service delivery. These include but may not be limited to:

  • carers and/or representatives calling on your behalf
  • call handling agents
  • clinicians and safeguarding professionals
  • IT system processors

7. Other recipients of your personal data

We will also need to share your personal data on a ‘need to know’ basis with other trusted recipients to perform key activities on our behalf to deliver an effective service. These include, but are not limited to the following:

  • Vodafone: provider of telephone line and call connection to Teleperformance (processor acting for NHS England and Improvement and DHSC)

  • Teleperformance: provider of call connection to call agents that respond to calls received and make the vaccine booking on behalf of the caller using the National Booking Service online tool (processor acting for NHS England and Improvement and DHSC)

  • Hinduja Global Solutions (HGS) UK Ltd: provider of call agents that respond to calls and make the vaccine booking on behalf of the caller using the National Booking Service online tool through IT solutions provided by Teleperformance (processor acting for NHS England and Improvement and DHSC)

  • NHS Digital: provider of the National Booking Service used by Teleperformance and HGS UK Ltd call agents to make the vaccine bookings on behalf of the caller

We may share your personal data with other recipients for research purposes where they have an established legal basis to receive your personal data. Data will have personal identifiers removed where the research purposes can be achieved without them.

This list of recipients will be kept under review and updated to inform you if or when a new recipient is appointed.

8. How your personal data is kept secure

The security of your personal data and health information is of paramount importance to us. Personal data including any health information you provide during the vaccine booking process call is taken by trained call handlers, with an awareness of security procedures in place for protection of your data. Calls are recorded and monitored for quality and safety purposes. Access to recordings is controlled and subject to a Quality Assurance process.

Teleperformance, one of our suppliers, provides the IT solutions that manage your personal data taken during the call on behalf of NHS England and Improvement and DHSC. There are technical and organisational security safeguards in place to minimise risks associated with data loss, misuse, unauthorised access, disclosure and alteration. Personal data and the IT solutions are backed-up to data centres located in the UK to minimise any impact on data loss. At an organisational level, our suppliers are certified to IS027001:2013, an international standard for the management of information security and receive regular surveillance visits.

We require our suppliers to follow security guidelines as detailed in their contractual terms in processing your personal data on our behalf. In the unlikely event that there is a requirement to report any data breaches to the Information Commissioners Office, the UK regulator for data protection, we will do so in accordance with the UK GDPR and Data Protection Act 2018.

9. Details of transfers of personal data to any third countries or international organisations

Processing of your personal data is completed within the UK and we do not currently intend to transfer your personal data outside the UK. If this changes in the future, we will update this notice to reflect that and we will ensure any restricted transfers of personal data only take place where adequate safeguards are in place.

10. How long we will hold your personal data

We will retain your personal data and health information for as long as necessary depending on the purposes and no longer than 8 years after the second vaccination date. We instruct our third-party partners on how long to keep personal data that is retained on our behalf. We will also dispose of personal data and health information sooner if it is appropriate to do so. Further details can be found at the Records Management Code of Practice for Health and Social Care 2016.

11. The rights available to individuals in respect of the processing

You can exercise rights in relation to your personal data that are set out below, where those rights apply under data protection law. These are not absolute rights and the availability of some of these rights may vary depending on the circumstances in which they are applied. If you wish to exercise any of your data protection rights, please contact us at england.dpo@nhs.net

We will aim to respond to your requests in relation to your rights within one month and if it is going to take longer we will outline the reason and provide an updated response time. Your rights and how they apply are described below.

1. The right to get copies of your information


You have the right to ask for a copy of any information about you that we hold.

2. The right to get your information corrected


You have the right to ask for any information held about you that you think is inaccurate to be corrected.

3. The right to limit how your information is used


You have the right to ask for any of the information held about you to be restricted, for example, if you think inaccurate information is being used.

4. The right to object to your information being used


You can ask for any information held about you to not be used. However, this is not an absolute right and we may need to continue using your information. We will tell you if this is the case.

5. The right to get information deleted


This is not an absolute right and we may need to continue to use your information. We will tell you if this is the case.

12. The right to lodge a complaint with the Commissioner

If you are not happy or wish to complain about how your personal data is used as part of this service, we would recommend that you contact either the DHSC or NHS England and Improvement in the first instance to resolve the issue (contact details can be found in section 2 above).

If you are still unsatisfied, you have the right to lodge a complaint with the Commissioner for data protection. In the UK, the Commissioner is:

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Tel: 0303 123 1113 (local rate)

www.ico.org.uk

13. Where your personal data originated from and whether it was obtained from publicly accessible records

The sources of your personal data are:

  • caller (includes representative/health care provider)
  • National Health Service (NHS) Systems (from your Summary Care Records)

We will not refer to information held about you on any publicly available records, for example Companies House.

14. Details of the existence of automated decision-making including profiling

Automated decision-making processes including profiling are not used in the provision of the booking service to administer COVID-19 vaccines.

Version: 2 Published: 14 May 2021