NHSE is looking to prioritise COVID vaccination for frontline staff for critical public service, to achieve this, workplaces are required to provide identifiable information about all recipients.
Employee personal data is needed by the NHS to contact identified critical employees and offer a COVID vaccination.
What information will be provided?
- CCG area
- Employing organisation
- Staff Role category
- Location postcode
- Mobile number
- Category of employer (council)
Do I have to provide this information and what will happen if I don’t?
The information will be provided to offer vaccination appointments. The vaccination is voluntary and the individual can choose how they respond.
What allows you to use my information?
Your employer will share the data in line with GDPR and Data Protection Act 2018 which allow the processing of data Personal data for:
- GDPR Article 6 (1) (e) Public task: The processing is necessary for you to perform a task in the public interest or for your official functions and the task or function has a clear basis in law
- GDPR Article 9(2)(i) Public Health: Processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of healthcare’
- Data Protection Act 2018, Sch 1, Part 1, (d): Public Health.
The basis in law is met by the Coronavirus (COVID-19): notice under regulation 3(4) of the Health Service (Control of Patient Information) Regulations 2002 – general:
- Identifying and understanding information about patients or potential patients with or at risk of COVID-19.
- Providing services in relation to testing, diagnosis, self-isolation, fitness to work, treatment, medical and social interventions and recovery from COVID-19.
- Monitoring and managing the response to COVID-19 by health and social care bodies and government.
- Delivering services to patients, clinicians, the health services and adult social care services workforce and the public in connection with COVID-19, including the provision of health care services.
Who will my information be shared with?
Your personal data will be provided to the NHS to support the vaccination programme.
How will the information be used?
Knowsley Council will use your information to monitor uptake of the vaccination, this will include personal information which will include the management of the response to Covid19.
The NHS shares information with a number of organisations for purposes including vaccination and management of Covid 19 response. The NHS has provided the following information on how your data will be managed by them, further information on how the NHS manages your information can be accessed here: NHS Privacy Notice
Sharing staff data with NIMS
NHSE is looking to achieve 100% coverage for flu and COVID vaccination for health and social care staff and all NHS providers vaccinating staff and patients are required to provide identifiable information about all recipients.
That is because NIMS holds data about who has been vaccinated with what and when so that it can:
- phase the call/recall service matching clinical need with vaccine supply;
- support clinical safety by managing intervals between flu and COVID vaccinations and between multi part COVID vaccinations; and
- provide an early warning system in case of adverse effects to new vaccines.
Critical frontline staff are part of the population and so need to be included. Apart from the safety issues, if staff vaccinations were not included then the system would not know that they had been vaccinated and staff already vaccinated would be constantly called and recalled by mail, email, text and phone; in addition, given the pressures on the workplace already responding to the coronavirus pandemic, it is important that managers are aware of the risks that low vaccination rates amongst staff might have as pressures build through the Winter period.
NIMS already holds PID details such as name and address and vaccination history for the entire population. But because NIMS can only report on critical frontline workers if it knows who they are, it is necessary for relevant organisations to provide information so that individual members can be identified and their employer details can be added to their NIMS record. The information to be provided should either be NHS numbers of health and care workers or information including name, address, date of birth and sex which allows the NHS number to be derived. Local organisations will be able to extract this information from the Electronic Staff Record (ESR) or local HR systems.
When employer details have been recorded on NIMS, it will be possible for local health and care organisations to obtain details about the vaccination status of their staff (including whether they have received the vaccination from their GP or local community pharmacy). If providers submit additional data such as role and location, then NIMS will provide further analysis of the vaccination status for each provider for local use. NIMS will only make data at a staff member level available to the providers for whom the staff member works.
Your rights over your information
Under data protection law, you have a number of rights over your personal information. You have the right to:
- ask for a copy of any information we hold about you
- ask for any information we hold about you that you think is inaccurate to be changed
- ask us to restrict our use of your information, for example, where you think the information we are using is inaccurate
- object to us using any information we hold about you, although this is not an absolute right and we may need to continue to use your information – we will tell you why if this is the case
- delete any information we hold about you, although this is not an absolute right and we may need to continue to use your information – we will tell you why if this is the case
- ask us not to use your information to make automated decisions about you without the involvement of one of our staff
To exercise any of your rights by contacting us at:
Data Protection Officer
Or email: firstname.lastname@example.org