Skip to main content

How the COVID-19 vaccination status statement service uses your data and what your rights are.

First published:
24 May 2021
Last updated:

Introduction

The Welsh Government in conjunction with Digital Health and Care Wales (DHCW) is providing a service that will produce a COVID-19 vaccination status statement. This will allow residents in Wales to evidence (either electronically via a smartphone, or manually on paper) their COVID-19 vaccination history.

How does the service work?

Digital users

When the digital service becomes available, users will be able to use an NHS login to authenticate into the service. Data will then be retrieved from existing data we hold to provide a statement of your vaccination history on your smart device.

Non-digital (COVID19 vaccination status statement)

Users will be asked to provide name, date of birth and postcode in order to confirm their details. If the individual has been fully vaccinated a letter will be produced and sent to the address we hold for correspondence.

What is the purpose for the processing of personal data?

The principal aim of the COVID-19 vaccination status statement programme is to ensure that illness and death from COVID-19 can be minimised as the UK’s social and economic life is re-established.

What does the COVID-19 vaccination status statement service do?

The COVID-19 vaccination status statement service provides citizens with evidence of their vaccination history. As the country resumes normal functions, this data will be useful for further aspects of unlocking as they arise, for example for International travel.

What do I need to do?

Digital users

When the digital service becomes available, you will need to register for a user account via NHS Login (for the digital service) if you don’t already have one.

Non-digital (COVID19 vaccination status statement)

You can contact the Wales COVID-19 vaccination status statement service by telephone to arrange for the sending of a COVID-19 vaccination status statement

Data controller

The data controllers for this service will be the Welsh Government and DHCW. Swansea Bay University Health Board and the City and County of Swansea and HH Global operate the service as data processors – details of activities undertaken by the processors appear in the Appendix to this Privacy Notice.

The Data Protection Officers for these organisations can be contacted as follows:

Data Protection Officer

Welsh Government
Cathays Park
CARDIFF
CF10 3NQ

Data Protection Officer

Digital Health and Care Wales
Tŷ Glan-yr-Afon
21 Cowbridge Road East Cardiff
CF11 9AD

DHCW makes available the information about your vaccine history to the service, from the vaccination database known as the Wales Immunisation System (WIS). This is a central system containing all vaccination information for those vaccinated in Wales. WIS is controlled and operated by DHCW and the local health boards in Wales.

The personal data we collect and how it is used

In order to ensure your COVID-19 status can be delivered to you, data will be presented from the existing COVID-19 vaccination data source within NHS Wales (WIS).

Personal data used

The data used in the system includes the following:

  • surname
  • forename
  • address
  • postcode
  • date of birth
  • gender
  • NHS number
  • dose number
  • vaccine manufacturer
  • vaccine type
  • batch number
  • date of dose
  • administering authority
  • vaccine given (confirmation)

Automated decision making or profiling

For the purposes of effective compliance with the requirements of Article 22 of the General Data Protection Regulation (GDPR), the Controllers consider that automated decision making is not engaged in this service.

How will my information be shared

Your information will be made available to you either via the NHS App (once available) or via letter. Your data will be shared with the processors for the purpose of producing the COVID-19 Vaccination Status Statement. Your data will not be shared any further.

Lawful basis for processing personal data

The legal basis for the use of personal data in the service will be

UK GDPR Art. 6 (1)(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller to meet the statutory obligations under Section 2A(1) of NHS Act 2006, to protect public health; and

UK GDPR Art. 9 (2)(i)processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy, underpinned by DPA 2018 – Schedule 1, Part 1, s. 2(2)(f) – health or social care purposes.

How long do we keep your personal data?

Data is derived from source systems. Data processed in providing the COVID-19 vaccination status statement service will only be used for the period of time required to create the statement. For users of the digital option, when available, the data will not be retained once you log off. For users of the non-digital option your data will not be retained by the COVID-19 vaccination status system once the letter has been printed. Data will continue to be retained in source systems and services.

We handle your personal data in accordance with appropriate procedures and technologies in order to maintain and protect its security, availability, confidentiality and integrity, and prevent its unlawful or unauthorised processing, accidental loss or damage, from its collection until its destruction.

Storage of data by the NHS in Wales is provided secure computing infrastructure on servers located in the United Kingdom. Our platforms are subject to extensive security protections and encryption measures.

Your rights as a data subject

By law, you have rights as a data subject. Your rights under the General Data Protection Regulation and the UK Data Protection Act 2018 apply.

  • Your right to get copies of your information – you have the right to ask for a copy of any information about you.
  • Your right to update or correct your information – you have the right to ask for any information held about you that you think is inaccurate, to be corrected.
  • Your right to limit how your information is used – you have the right to ask for any of the information held about you to be restricted, for example, if you think inaccurate information is being used.
  • Your right to object to your information being used – you can ask for any information held about you to not be used. However, this is not an absolute right, and we may need to continue using your information, and we will tell you if this is the case.
  • Your right to get your information deleted – this is not an absolute right, and we may need to continue to use your information, and we will tell you if this is the case.
  • If you’re unhappy or wish to complain about how your personal data is used you should contact your local health board in the first instance to resolve your issue. If you’re still not satisfied, you can complain to the Information Commissioner’s Office.

If you have concerns about the accuracy of the data relating to your vaccinations, you should in the first instance contact the Data Protection Officer at the health board in which you received the vaccination. This may be contained on correspondence from that health board including any letter you received or text message.

If you have concerns that your personal details are incorrect, please check with your GP surgery that they have your correct details in the first instance as the NHS maintains a central record of your contact information when you register for NHS services via a GP.

If you have any queries relating to immunisations or your immunisation record in general, please contact your local health board.

You can also contact any of the Data Protection Officers relating to this service as listed above.  Members of the relevant data protection teams will endeavour to get back to you as soon as possible to confirm receipt.

Should you make a request under the UK General Data Protection Regulations, we will require your name and contact details in order to meet our legal obligations under the law to provide you with a response. We will only use this personal information to deal with your request and any matters which arise as a result of it. We will keep your personal information, and all other information relating to your request, for 3 years from the date on which we responded to your request.

Security

We use appropriate technical, organisational and administrative security measures to protect any information we hold in our records from loss, misuse, unauthorised access, disclosure, alteration and destruction. We have written procedures and policies which are regularly audited and reviewed at a senior level.

Changes to our policy

We keep our privacy notice under regular review, and we will make new versions available on our privacy notice page on the Welsh Government website. This privacy notice was last updated on 19 May 2021.

Complaints around the processing

If you wish to make a complaint about the processing of your personal data you should in the first instance contact the data controllers of the information.

If you are not happy with the data controller's response, you can contact the UK regulator the Information Commissioner at:

Information Commissioner's Office

Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Telephone: 0303 123 1113

Fax: 01625 524510

Appendix: Data processor responsibilities

Data processor responsibilities
Data processor details Role Controllers responsible
HH Global
  • To electronically receive details for printing Covid-19 status statements via a secure digital delivery.
  • To arrange for the secure printing of Covid-19 status statements on the appropriate counterfeit proof paper.
  • To arrange for the posting Covid-19 status statements to the relevant party.
Welsh Government – to contract
[Secure data file delivery provider]
  • To ensure secure delivery of the print file.
Digital Health and Care Wales
Swansea Bay University Health Board
  • To issue NADEX IDs to local authority employees on behalf of the joint controllers.
All Joint Controllers
The City and County of Swansea Council
  • To answer calls from members of the public requesting Covid-19 status statements.
  • To screen calls to ensure that a Covid-19 status statement is only issued to persons visiting countries where a Covid-19 status statement is required.
  • To search the Covid-19 status statement database for the individual.
  • To select the option to print the Covid-19 status statement.
All Joint Controllers