Read our latest advice on Coronavirus (COVID-19)


Our services are open and safe to attend – we are here to help

Privacy notice – COVID-19 vaccinations for staff

Patients and visitors

More in this section

Part of the national response to the coronavirus (COVID-19) pandemic is the need to record the details of staff who have been vaccinated against COVID-19. Vaccinations are normally undertaken in GP practice or community settings. With COVID-19 vaccinations, this will be undertaken in a variety of care settings and for the majority of health and care staff, vaccinations will be managed by 'lead providers' on behalf of local health and care organisations.

It remains the choice of the individual whether to have the vaccine, but Guy's and St Thomas' NHS Foundation Trust need to be able to share staff details via national systems to make sure all staff are given the chance to receive their vaccination in line with the national requirements. We must also record the details of the vaccination and share that information with your GP, so that your health records are kept up to date.

Across England, a variety of lead providers and systems are being used to manage the vaccination process. This covers data processing to support staff requesting the vaccination, booking the appointment, and administering the vaccination. The sharing of this information is necessary to allow the coordinated and effective roll-out of this vaccination programme to staff across England.

1) Controller contact details

Guy's and St Thomas' NHS  Foundation Trust

St Thomas' Hospital, Westminster Bridge Road, London, SE1 7EH

Tel 020 7188 7188

2) Data Protection Officer contact details

ig@gstt.nhs.uk

 

3) Purpose of the processing

The purpose of the processing along the data flows is to effectively deliver and document the administration of COVID-19 vaccinations to staff members within health and care organisations.

4) Lawful basis for processing

 

Under the General Data Protection Regulation (GDPR), the lawful basis for processing this data is found at articles:

 

6(1)(c) Processing is necessary for compliance with a legal obligation to which the controller is subject,

 

6(1)(e) Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller,

 

and

 

9(2)h processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services

 

In addition, with the COVID-19 vaccination, we have an obligation to let your employer know that you have been vaccinated to support their obligation to safety in the workplace. The lawful basis for this processing is found at articles:

 

6(1)(c) Processing is necessary for compliance with a legal obligation to which the controller is subject,

 

6(1)(e) Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller,

 

and

 

9(2)(b) processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment

 

9(2)(i) processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health

 

The 'Notice' issued by the Secretary of State for Health sets aside the requirements of Common Law Duty of Confidentially for COVID-19 purposes, Regulation 4 Health Service Control of Patient Information Regulations 2002 provides that ‘information may be processed in accordance with these Regulations, notwithstanding any common law obligation of confidence’, meaning that identifiable patient data can be shared with other organisations where it is 'necessary' for a COVID-19 purpose.

 

View the Coronavirus (COVID-19): notice under regulation 3(4) of the Health Service (Control of Patient Information) Regulations 2002 ON THE GOV.UK website.

5) Recipient or categories of recipients of the processed data

Health and social care organisations, GPs, arm's length bodies (such as NHS Digital and Public Health England), local authorities.

6) Right to access and correct

You have the right to access the data that is being shared and have any inaccuracies corrected. You can exercise this right by contacting the organisation’s data protection officer, whose details are listed above. There is no right to have accurate medical records deleted except when ordered by a court of law.

7) Retention period

The data will be retained in line with the law and national guidance.

Read the Records Management Code of Practice for Health and Social Care 2016 on the GOV.UK website.

8) Right to complain

You have the right to complain to the Information Commissioner's Office (ICO). Register a complaint on the Information Commissioner's Office website

You can also call the helpline on 0303 123 1113 (local rate) or 01625 545 745 (national rate).

There are national ICOs for Scotland, Northern Ireland and Wales.