The National Vaccination Scheduling Service (NVSS) is the name of the web-based portal allowing individuals (over 12 and living in Scotland) to:
When you use the NVSS, we will process personal data about you (which may be held on paper or electronically). We will treat it in a fair, secure and lawful manner.
In this privacy notice, we will explain:
It also helps you understand your rights and how to contact us if you need more information.
You can choose whether to use the NVSS portal. If you don’t want to use the NVSS portal, you have an option to contact the National Contact Centre Helpline on 0800 030 8013.
A controller is an organisation that determines the means and purposes of the processing of personal information.
We are The Common Services Agency for the Scottish Health Service, more commonly known as NHS National Services Scotland (“NHS NSS” or “us” or “we”). We designed the NVSS and administer the NVSS as a controller.
A processor is an organisation responsible for processing personal data on behalf of a controller. We use a number of processors for the purposes of NVSS, all under contracts with NHS NSS.
NHS NSS uses ServiceNow as a processor to provide software services. ServiceNow provides the IT platform on which information is stored but does not view or have routine access to your personal information.
In very exceptional and limited circumstances, ServiceNow may require indirect access to the databases or other parts of the system that hold personal data in order to provide technical support services to NHS NSS.
Microsoft Azure provides IT systems that we use to coordinate and manage vaccinations. Microsoft Azure Cloud Services are used to host the Platform from which the NVSS module sits on. Microsoft Azure does not have direct access to your personal information.
Gov.Uk Notify are used to send secure vaccination booking notifications back to you via email or text message, when you’ve re-scheduled your appointment via the portal or the National Vaccination Helpline.
The Notification Service has been built for the needs of government services. It has processes in place to protect your data (e.g. email and text messages encrypted). Staff have Security Check (SC) clearance from United Kingdom Security Vetting (UKSV).
Google Maps is used in the scheduling process to map your postcode to the nearest vaccination clinic. Google Maps will be provided with two postcodes (one of the home address and one of the clinic) through Service Now. Only the IP address of Service Now’s server will be visible to Google Maps.
You must register with the NVSS to be able to access and use the NVSS portal to:
You’ll be provided with a unique username on your initial vaccine appointment letter and you’ll be asked to enter it along with certain basic demographic information, including personal and contact details.
You’ll also receive your username in your SMS when you book or reschedule an appointment online.
If you forget your username for the NVSS, you’ll be asked to provide details like the date of your first or second vaccination, in order to recover your username.
When you register for the portal, we’ll check if you’re happy for us to use your email and telephone number to send you information about your vaccination appointments via email or SMS.
We may also contact you via email or SMS to invite you to self-book an appointment when you are eligible to book.
Any paper communications we send to you, like appointment letters and the paper copy of your COVID-19 recovery certificate or COVID-19 vaccination certificate, will be sent using Royal Mail. Royal Mail does not have access to your vaccination or appointment information. It uses your name and address to deliver letters to you.
You’ll provide the following information when you register to use the NVSS.
*The items above marked with a star are mandatory items, without providing these you will not be able to access and use the NVSS.
The following information is obtained from other sources:
If you are not able to provide your CHI number, we may use other information you have provided to retrieve your CHI number from the Community Health Index database, also maintained by us. The Community Health Index stores details of all patients registered with GP Practices in Scotland. This is necessary to ensure that your records are accurate and kept up to date.
If you have had a COVID-19 vaccination in England, NHS Digital (formally known as the Health and Social Care Information Centre) will share confirmation of this to ensure that your clinical records in Scotland are up to date.
If you have had a COVID-19 vaccine within the UK other than through NHS Scotland, you can also submit evidence to update your vaccination record online. You can also contact the National Contact Centre, another service hosted within NHS NSS which supports the COVID-19 contact tracing function, via email at nss.covaccrossborder@nhs.scot.
We also publish information about the number of vaccines given in Scotland and other anonymous statistics for public understanding. These statistics are always provided in non-patient identifiable form and so we carry out a process known as “anonymisation” to turn your personal data into anonymous information so that you are no longer identifiable when this is used for statistical purposes.
We have a legal obligation to protect the health of the people in Scotland and the COVID 19 and Flu vaccines play a key role in helping us do this.
NHS NSS relies on the following lawful basis to collect and use your personal data in the provision of the NVSS:
Our conditions for processing information about your health, and any other sensitive information about you, are as follows:
The personal data held as part of the NVSS will be retained for 18 months after your last vaccination.
Vaccination data used within NVSS forms part of your health record, and will be kept by your Health Board and GP for your lifetime, plus 3 years.
Your data will be stored securely on NHS Scotland servers within the United Kingdom. We will not share your personal data outside the United Kingdom.
Under the UK GDPR and Data Protection Act 2018, you have the following rights:
Some of these rights are not absolute and may not apply in all circumstances. Requests are considered on a case-by-case basis.
If you have questions, complaints or you would like to exercise your rights described above, the contact information you need is noted below.
For details on your rights and how to exercise them for personal data processed by NHS NSS please refer to the data protection notices on:
NSS Data Protection Notice | National Services Scotland (nhs.scot)
NSS Data Protection Notice – Other Rights | National Services Scotland (nhs.scot)
Email address:nss.dataprotection@nhs.scot
Gyle Square
1 South Gyle Crescent
Edinburgh
EH12 9EB
0131 275 6000
To raise a complaint with the Information Commissioner’s Office (ICO) as the supervisory body in the UK, contact:
Website: http://www.ICO.org.uk
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
0303 123 1113
Last updated:
12 January 2023