Seeking consent for immunisations in schools
Guidance on the statutory requirements to consent for immunisations in schools.
Statutory duties and delegations
The Secretary of State for Health and Social Care has a duty to provide vaccination services, which is set out in section 2A of the National Health Service Act 2006 in that the Secretary of State must take such steps as the Secretary of State considers appropriate for the purpose of protecting the public in England from disease or other dangers to health. The steps that may be taken include providing vaccination, immunisation, or screening services.
The Secretary of State has asked NHS England to fulfil this specific responsibility to commission services to vaccinate children and young people in schools. This is documented in the annual NHS public health functions (section 7A) agreement and Annex A lists the immunisations to be provided.
Personal data
Lawful basis for processing personal data (including confidential patient information) The lawful bases identified under the UK General Data Protection Regulation (UK GDPR) for processing personal data in relation to young people’s vaccinations are as follows:
Section 2A of the National Health Service Act 2006 is the basis in law which provides justification for processing young people’s information for vaccinations.
However, as confidential patient information is required to be processed, a legal gateway that sets aside the common law duty of confidentiality (CLDC) is required in addition to the lawful bases detailed above.
To be clear, consent is not the lawful basis under the UK GDPR or the CLDC for processing children’s personal data for the purpose of vaccinations.
The CLDC is set aside by The Health Service (Control of Patient Information) Regulations 2002 regulation 3, which states that in relation to communicable disease and other risks to public health, subject to paragraphs (2) and (3) and regulation 7, confidential patient information may be processed with a view to (d) monitoring and managing (iii) the delivery, efficacy, and safety of immunisation programmes.
In addition, regulation 4 – ‘Modifying the obligation of confidence’ states that anything done by a person that is necessary for the purpose of processing confidential patient information in accordance with these Regulations shall be taken to be lawfully done despite any obligation of confidence owed by that person in respect of it.