National Vaccination Scheduling Service (NVSS) Privacy Notice
What is this privacy notice for?
The National Vaccination Scheduling Service ("NVSS") is the name of the web-based portal allowing individuals [over 12 and living in Scotland]:
to book and reschedule, appointments for COVID-19 vaccinations [and/or boosters]
to book and reschedule, appointments for the flu vaccination.
to view their COVID-19 Vaccination history via the status tab
to download a copy of a certificate showing their COVID-19 vaccination history (referred to in this privacy notice as a "COVID-19 vaccination certificate"); or
to request a paper copy of their COVID-19 vaccination certificate
to download a copy of a certificate showing their COVID-19 recovery certificate for international travel (referred to in this privacy notice as a "COVID-19 recovery certificate"); or
to request a paper copy of their COVID-19 recovery certificate for international travel.
When you use the NVSS, we will process personal data about you (which may be held on paper or electronically) and we will treat it in a fair, secure and lawful manner. In this privacy notice, we will explain what information we collect, when we collect it and how we use this in relation to NVSS. It also helps you understand your rights and how to contact us if you need more information.
We also have a NVSS easy read privacy notice available on the NHS Inform website, which can be found here.
You can choose whether to use the NVSS portal. If you do not want to use the NVSS portal, you have an option to contact the National Contact Centre Helpline: Freephone number 0800 030 8013.
Who are we?
A controller is an organisation that determines the means and purposes of the processing of personal information.
We are The Common Services Agency for the Scottish Health Service, more commonly known as NHS National Services Scotland ("NHS NSS" or "us" or "we"). We designed the NVSS and administer the NVSS as a controller.
A processor is an organisation responsible for processing personal data on behalf of a controller. We use a number of processors for the purposes of NVSS, all under contracts with NHS NSS, as set out below:
ServiceNow - NHS NSS uses ServiceNow as a processor to provide software services. ServiceNow provides the IT platform on which information is stored but does not view or have routine access to your personal information. In very exceptional and limited circumstances, ServiceNow may require indirect access to the databases or other parts of the system that hold personal data in order to provide technical support services to NHS NSS.
Microsoft Azure - Microsoft Azure provides IT systems that we use to coordinate and manage vaccinations. Microsoft Azure Cloud Services are used to host the Platform from which the NVSS module sits on. Microsoft Azure does not have direct access to your personal information.
Gov.Uk Notify - Used to send secure vaccination booking notifications back to you via email or text message, when you have re-scheduled your appointment via the portal or the National Vaccination Helpline. The Notification Service has been built for the needs of government services. It has processes in place to protect your data (e.g. email and text messages encrypted). Staff have Security Check (SC) clearance from United Kingdom Security Vetting (UKSV).
Google Maps - Google Maps is used in the scheduling process to map your postcode to the nearest vaccination clinic. Google Maps will be provided with two postcodes (one of the home address and one of the clinic) through Service Now. Only the IP address of Service Now's server will be visible to Google Maps.
How does NVSS work?
Registering for an account
You must register with the NVSS to be able to access, use the NVSS portal to book, and rearrange vaccination appointments, or to obtain a digital or paper copy of your COVID-19 vaccination certificate. You will be provided with a unique username on your initial vaccine appointment letter and you will be asked to enter it along with certain basic demographic information, including personal and contact details as described in more detail below.
You will also receive your username in your SMS when you book or reschedule an appointment online.
If you forget your username for the NVSS, you will be asked to provide details such as the date of your first or second vaccination, in order to recover your username.
Email / SMS communications
When you register for the portal, we will check if you are happy for us to use your email and telephone number to send you information about your vaccination appointments via email or SMS. We may also contact you via email or SMS to invite you to self-book an appointment on vacs.nhs.scot when you are eligible to book.
Communications by telephone
As part of our efforts to continually improve the vaccination programme, we may contact you if you did not attend your scheduled appointment, an appointment you may have not rebooked or had a vaccine administered through another setting.
The purpose of the communication is a short quality improvement questionnaire with a view to improving our service. We would like to understand reasons for not attending scheduled appointments and to see if we can assist by offering you another suitable appointment.
Our lawful basis for contacting you for the purpose of carrying out the questionnaire in relation to your vaccination appointment can be found below.
Please note that when our National Contact Centre staff contact you, you will be asked whether you consent to participate. If you do not wish to participate, you do not have to provide your consent.
We will not be collecting any personally identifiable information from you during the quality improvement questionnaire, and therefore no personal data will be held in our systems.
Please note that all inbound and outbound calls to/from our National Contact Centre are recorded for quality, monitoring, and training purposes.
Paper communications
Any paper communications we send to you, such as appointment letters and your paper copy COVID-19 recovery certificate/COVID-19 vaccination certificate will be sent using Royal Mail. Royal Mail does not have access to your vaccination or appointment information. It uses your name and address to deliver letters to you.
What personal information are we using?
You will provide the following information when you register to use the NVSS:
Account Information:
Unique Username: This is contained within the appointment letter you will have received or in any text messages for booking/rescheduling your appointment.
Password: This is a password chosen by you (or on behalf of you if you have asked someone else to set up your account)
Identity Information:
Community Health Index (CHI) number (your unique NHS number), if you know this
Surname*
First name*
Date of birth*
Sex* (as held by your GP practice)
Contact Information:
Home address (as registered with your GP)
Postcode*
Contact telephone number
Contact email address
Communications preference telephone or email.
Other:
Ethnicity* (mandatory but there is an option of prefer not to say/don't know)
*The items above marked with a star are mandatory items, without providing these you will not be able to access and use the NVSS.
The following information is obtained from other sources:
Cohort Information: This information is obtained from your local Health Board, GP, Public Health Scotland and/or Social Security Scotland.
Eligibility criteria relevant to vaccination cohorts (e.g. shielding or household member, healthcare or social care worker, care home resident or staff, whether unpaid carer, care at home and age/health condition based cohorts).
Appointment Information: This information is obtained from your scheduled appointment or the appointment you have booked/rescheduled via the portal.
Date of appointment
Time of appointment
Administering centre
SMS or email sent for confirmation of appointment
Vaccine Consumption Record: This information is obtained from the National Clinical Data Store (NCDS), a database controlled by Public Health Scotland (PHS) and NHS Education for Scotland (NES).
Vaccination Name
Vaccination Dose
Vaccination Status
Vaccination Dates
Recovery Status:
First Name
Surname
Address
Postcode
Date of Birth
Date of positive test result
Disease type (Covid 19)
Country of test
Recovery status valid from date (The date the recovery period starts is day 11 after a positive test)
Recovery status valid to date (The date the recovery period ends is calculated as the day the positive test was taken plus 180 days)
If you are not able to provide your CHI number, we may use other information you have provided to retrieve your CHI number from the Community Health Index database, also maintained by us. The Community Health Index stores details of all patients registered with GP Practices in Scotland. This is necessary to ensure that your records are accurate and kept up to date.
If you have had a Covid 19 vaccination in England, NHS Digital (formally known as the Health and Social Care Information Centre) will share confirmation of this to ensure that your clinical records in Scotland are up to date. If you have had a Covid 19 vaccine within the UK other than through NHS Scotland, you can also submit evidence to update your vaccination record via the online process at: https://www.nhsinform.scot/covid-19-vaccine/after-your-vaccine/request-an-update-to-your-vaccination-record or you can contact the National Contact Centre, another service hosted within NHS NSS which supports the COVID-19 contact tracing function, via email: nss.covaccrossborder@nhs.scot
We also publish information about the number of vaccines given in Scotland and other anonymous statistics for public understanding. These statistics are always provided in non-patient identifiable form and so we carry out a process known as "anonymisation" to turn your personal data into anonymous information so that you are no longer identifiable when this is used for statistical purposes.
What is our lawful basis to use your information?
We have a legal obligation to protect the health of the people in Scotland and the COVID-19 and Flu vaccines play a key role in helping us do this.
NHS NSS relies on the following lawful basis to collect and use your personal data in the provision of the NVSS:
UK General Data Protection Regulation (UK GDPR) Article 6(1)(e) - the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the NHS NSS.
Our conditions for processing information about your health, and any other sensitive information about you, are as follows:
UK GDPR Article 9(2)(h) - the processing is necessary for the purposes of preventive or occupational medicine, the provision of health or social care or treatment or the management of health or social care systems and services, supported by Schedule 1, Part 1, paragraph 2 of The Data Protection Act 2018.
UK GDPR Article 9(2)(i) - the processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health, supported by Schedule 1, Part 1, paragraph 3 of The Data Protection Act 2018.
UK GDPR Article 9(2)(j) - the processing is necessary for archiving purposes in the public interest, or scientific and historical research purposes, supported by Schedule 1, Part 1, paragraph 4 of The Data Protection Act 2018.
How will my personal data be shared?
Your personal data will only be shared if it is necessary to do so and subject to technical and organisational measures to protect it. Any organisation that receives the data will also be responsible for ensuring the data is handled safely, securely and that they always comply with data protection law.
In addition to the processors mentioned above who provide services in relation to the NVSS, NHS NSS will share your personal data with the following organisations, for the purposes stated below:
NHS Scotland Health Boards as part of their public health duties. Health Boards are responsible for vaccinating the population in their territorial area. GPs assist the health boards in this responsibility. Health Boards have been given access to the NVSS to make appointments for their own patients. They cannot see any other Health Boards patients' information.
Public Health Scotland (PHS) PHS is one of the controllers of the NCDS, which stores vaccination records for [people living in Scotland]. NVSS sends ethnicity data to an ethnicity database which PHS then uses this data for research and statistics. The reports contain anonymous statistical information only and do not contain any details that could identify you. These reports are shared with the Scottish Government and NHS Scotland Health Boards.
NHS National Education for Scotland (NES) along with PHS, NES is a controller of the NCDS. NHS NES also assist with the creation of prioritised cohorts for vaccination based on agreed population and health risk criteria. NHS NES also receive an extract of the appointments for each clinic to their Vaccination Management Tool (VMT). The VMT has been created by NHS NES to allow for the recording and verification of individuals upon their arrival at the clinic together with details of each vaccination dose given.
NHS Digital NHS Digital provides the English vaccination booking service, and captures and manages vaccination events for people living in England. We share data with each other for patients who have had a Covid 19 vaccination(s) in England but now require a COVID-19 vaccination certificate in Scotland.
How long will my personal data be kept?
The personal data held as part of the NVSS will be retained for 18 months after your last vaccination.
Vaccination data used within NVSS forms part of your health record, and will be kept by your Health Board and GP for your lifetime, plus 3 years.
Where does my personal information go?
Your data will be stored securely on NHS Scotland servers within the United Kingdom. We will not share your personal data outside the United Kingdom.
How do we look after your information?
NHS NSS is committed to protecting and respecting the privacy of individuals whose personal information is held and used by us and to complying with our obligations under the Data Protection Act 2018, the UK GPDR and our organisational data protection policies. We have appropriate technical and organisational measures in place to keep your data safe, and all of our staff are trained in information governance and confidentiality and are required to comply with such legislation and policies.
What are my rights?
Under the UK GDPR and Data Protection Act 2018, you have the following rights:
The right to be informed.
The right of access.
The right to rectification.
The right to erasure.
The right to restriction of processing.
The right to data portability.
The right to object.
Rights in relation to automated decision-making.
The right to lodge a complaint with the supervisory body.
Some of these rights are not absolute and may not apply in all circumstances. Requests are considered on a case-by-case basis.
Exercising your rights
If you have questions, complaints or you would like to exercise your rights described above the contact information you need is noted below:
NHS National Services Scotland, for details on your rights and how to exercise them for personal data processed by NHS NSS, please refer to the data protection notices on the NHS NSS website (https://www.nss.nhs.scot) at:
NSS Data Protection Notice | National Services Scotland (nhs.scot) and
NSS Data Protection Notice - Other Rights | National Services Scotland (nhs.scot)
Contact details of the NHS NSS Data Protection Officer (DPO)
Email Address: nss.dataprotection@nhs.scot
Postal Address: Gyle Square, 1 South Gyle Crescent, Edinburgh, EH12 9EB
Telephone: 0131 275 6000
To raise a complaint with the Information Commissioner's Office (ICO) as the supervisory body in the UK, contact:
Information Commissioner's Office
Postal Address: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Telephone number: 0303 123 1113
Website: www.ICO.org.uk