Data Protection: COVID-19 Vaccine Information System

Purpose

The Health Service Executive (HSE) as the Data Controller for the COVID-19 Vaccination Information System complies with all applicable data protection legislation. The purpose of this notice is, in the interest of transparency, to explain how we collect and use personal information to enable the implementation of the COVID-19 Vaccination Programme.

You can view our full Privacy Notice.

You can view our Data Protection Impact Assessment.

The information we process

In order to provide the COVID-19 Vaccination to you it is necessary for the HSE to collect and process various categories of personal information about you. Only relevant data is recorded, for example, data that is necessary to identify you, book your appointment, record your vaccination and monitor its effects.

Type of information we collect

Personal data means any information relating to you which allows the HSE to identify you such as, your name and address, contact phone numbers and e-mail address. The HSE will collect the following personal information about you:

·       First and Last Name
·       Home Address
·       Contact Telephone Number (Mobile)
·       Contact Telephone (Landline)
·       E-mail Address (Personal)
·       E-mail Address (Work)
·       Gender
·       Date of Birth
·       Age
·       Occupation
·       PPS Number
·       Individual Health Identifier (IHI)
·       GP Name and Address
· Contact information for Parent or Legal Guardian for persons below 16 years of age

Special Categories of personal data includes sensitive data about you. The HSE will collect the following special category data about you:
· Data concerning your Health
· Ethnicity

Why we process your information

To ensure appropriate governance of information in relation to the vaccination programme.
To schedule appointments for vaccination.
To maintain and manage access to appropriate healthcare records of vaccinations, adverse reactions etc.
To make sure that we can identify you correctly against your Individual Health Identifier (IHI).
To manage the recording of consent for vaccination.
To provide appropriate anonymised reporting and analytical functionality.

It is intended that your personal and special category data collected as part of the vaccine programme will be used for the purposes of programme management and reporting.

We will also share your personal data with the Health Identification Service (HIDS) to ensure we can identify you correctly against your Individual Health Identifier (IHI).

Special Categories of Patients

The roll-out of the vaccination programme is being governed by the Government’s National COVID-19 Vaccination Programme: Strategy (December 2020) and is focused on prioritising the most vulnerable for receipt of the vaccine.

The vaccine rollout is based on the approved Vaccination Allocation Sequencing in the strategy which sets out the order in which specific groups will be invited to attend for vaccination. As part of this process, decisions are regularly made in relation to offering urgent appointments to people identified as being in the very high-risk and high-risk groups.

In order to identify these individuals in a timely manner, the HSE may seek individual personal details of patients and service users from a limited number of professionals such as GPs, Pharmacists and Private Consultants as well as from relevant organisations such as hospitals and disability service providers. This information can include personal details such as: name; address; phone number; PPSN and special category data relating to an individual’s health condition.

The HSE has a lawful basis for requesting such personal information under the Infectious Diseases Regulations 1981. Professionals and organisations who hold such information are legally obliged to comply with the request. In line with these regulations, this process will be under the governance of the National Medical Officer of Health.

Use of Personal Public Service Number (PPSN) for the purposes of finding your Individual Health Identifier (IHI).

Where possible, the HSE will use your PPSN to locate your Individual Health Identifier (IHI) on the National Register of Individual Health Identifiers. The lawful basis for this processing is contained in the Health Identifiers Act 2014.

Using your PPSN to accurately locate your Individual Health Identifier helps to ensure that your particulars are being correctly assigned with the correct IHI which is required for patient safety.

Under both the Health Identifiers Act 2014 and the Medicinal Products (Prescription and Control of Supply) (Amendment) (No. 7) Regulations 2020, if you do not have, or are unable to give, a personal public service number, you may provide other identifying particulars in order to help locate your IHI.

Where you do not have a PPSN, the HSE may need to manually assign an Individual Health Identifier (IHI) to your record. If you do not have a PPSN number, the HSE may need to contact the Department of Social Protection (DSP) to confirm the status of your PPSN. This is to ensure that there are no duplication of records.

This means that no individual presenting to receive a COVID-19 Vaccine will be denied the vaccine because they are unable to provide their PPSN.

Who can access your data

Data will only be shared on a strict need-to-know basis for specific purposes relating to the management of the vaccination programme and Health Identification Services.

It may only be accessed by:

HSE staff involved in pre-vaccination, vaccine administration, and post-vaccination tasks as well as general management of the programme
HSE staff and external suppliers involved in providing the Health Identification Services
External professionals such as GPs and Pharmacists in relation to their patients
Private Hospitals and Service Providers (Section 38 & 39 agencies) administering vaccines on behalf of the HSE;
External data processors for the purposes of issuing Digital Covid Certificates
External suppliers for the purposes of managing and maintaining IT systems
Health Products Regulatory Authority for the purposes of monitoring vaccine safety
Other Government agencies for the purposes of preparing anonymised statistical reports.

How your information will be kept secure

The HSE has legal obligations under the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 to ensure all personal data which is collected and processed by the Vaccine Information System is kept confidential and secure. To comply with these legal obligations, the HSE and its suppliers who are supporting the Vaccine Information System have implemented a number of technical and organisational measures to protect the Vaccine Information System and the data stored on the system from unauthorised or unlawful processing, accidental loss, destruction or damage.

Legal basis for processing

The HSE’s lawful basis under the General Data Protection Regulation for processing personal data relating to the vaccine programme is as follows:

The processing of personal data is necessary for a task carried out in the public interest or in the exercise of official authority vested in the controller (Article 6.1(e) GDPR;

The processing of special category data is necessary:

For the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems on the basis of Union or Member State Law or pursuant to contract with a health professional and subject to conditions and safeguards (Article 9.2(h) GDPR;
The Health Identifiers Act 2014 provides for the use of existing client identification data (“identifying particulars”) for the creation and maintenance of the National Register of Individual Health Identifiers; Part 2 (sections 6 and 7(1))
For reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy (Article 9.2(i) GDPR

Will my information be processed outside the European Economic Area (EEA)

While the Vaccine Information System is hosted within the European Economic Area (EEA), some of the management and support of the Vaccine Information System is provided by the HSE’s suppliers from countries outside the EEA. It may occasionally be necessary for these HSE suppliers to process vaccine data in countries outside the EEA.

In compliance with GDPR, the HSE and these suppliers have entered into appropriate arrangements as set out in Chapter V of the GDPR in order to facilitate the processing of vaccine data outside the EEA.

How long your information will be kept

Data about you will be retained on the HSE Vaccine Information System in accordance with the HSE Record Retention Policy or as long as legally required.

It is intended that data in relation to an individual’s vaccination will be held for a minimum of the lifespan of the individual and a maximum of 8 years after death. Personal information that is shared with the Health Identifier Service may be kept even after death. This is to prevent modification or transfer of your IHI to another person.

Your rights

You have certain legal rights concerning your information and the manner in which we process it. These include:

a right to get access to your personal information;
a right to request us to correct inaccurate information, or update incomplete information;
a right to request that we restrict the processing of your information in certain circumstances;
a right to request the deletion of personal information, excluding medical records;
a right to receive the personal information you provided to us in a portable format;
a right to object to us processing your personal information in certain circumstances; and
a right to lodge a complaint with the Data Protection Commission.