Privacy Notice - For Staff Vaccination Information


On 9th November 2021, the Department of Health and Social Care began the process of making it a legal requirement for any staff working in health and social care settings to be fully vaccinated against COVID-19, unless exempt. This means that each staff member will be required to provide evidence that they have been fully vaccinated against COVID-19, subject to specific exemptions, by no later than 1 April 2022. This will include front-line workers, as well as non-clinical workers not directly involved in patient care but who nevertheless may have direct, face to-face contact with patients, such as receptionists, ward clerks, porters and cleaners. These regulations will protect vulnerable people and individual workers in health and social care settings, including hospitals, GP practices, dentists, community services and where care is delivered in a person’s home. In order to monitor compliance with the new regulations, the organisation must collect information about vaccination status of eligible staff and/or any medical exemptions that might apply.

1) Data Controller contact details: 
The Village Surgery
31 Bramhall Lane South

2) Data Protection Officer contact details: Umar Sabat, Data Protection Officer

3) Purpose of the processing: To comply with Government requirements to ensure patient-facing workers are protected against COVID-19 and to reduce the spread of the virus in the health and social care setting, which includes vulnerable individuals at higher risk of COVID-19.

4) Lawful basis for processing: In order that we can carry out processing of your personal data, we need a lawful basis to do so. The lawful bases for processing, storing and sharing this data under the General Data Protection Regulation (GDPR) are:-

Article 6(1)(e) the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Article 9(2)(b) processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment.

Article 9(2)(g) processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.

Article 9(2)(h) the processing is necessary for medical diagnosis, the provision of health treatment and management of a health and social care system.

Article 9(2)(i) processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health.

Furthermore, the Health and Safety at Work Act 1974 obliges employers to take reasonable steps to reduce any workplace risks; this duty gives employers justification for encouraging their employees to be vaccinated to protect themselves and everyone else at the workplace. COVID-19 is also a reportable disease under the Reporting of Injuries, Diseases and Dangerous Occurrences Regulations (known as RIDDOR) which strengthens employers’ encouragement that employees should agree to vaccination. In addition, the ‘Notice’ issued by the Secretary of State for Health sets aside the requirements of Common Law Duty of Confidentially for COVID-19 purposes, Regulation 4 Health Service Control of Patient Information Regulations 2002 provides that ‘information may be processed in accordance with these Regulations, notwithstanding any common law obligation of confidence’, meaning that identifiable patient data can be shared with other organisations where it is ‘necessary’ for a COVID-19 purpose.

5) Recipient or categories of recipients of the shared data: Your identifiable data will remain within your employing organisation.

6) Rights to object: You have the right under Article 21 of the GDPR to object to your personal information being processed. Please contact us if you wish to object to the processing of your data. You should be aware that this is a right to raise an objection which is not the same as having an absolute right to have your wishes granted in every circumstance. You will need to provide information on your specific circumstances which relate to the reasons you are objecting.

7) Right to access and correct: You have the right to access any identifiable data that is being shared and have any inaccuracies corrected.

8) Retention period: Your information will be stored in line with the NHS Records Management Code of Practice 2021. In some circumstances, for example where we are legally required to, we may keep your information for a longer period of time. Information that identifies you will be stored securely and processed in the UK. We will ensure that there are appropriate security safeguards including strong cyber security.

9) Right to Complain: You have the right to complain to the Information Commissioner’s Office, you can use this link or calling their helpline Tel: 0303 123 1113 (local rate) or 01625 545 745 (national rate) There are National Offices for Scotland, Northern Ireland and Wales, (see ICO website)

Please note that the COVID-19 vaccination effort is fast-moving and this privacy notice is subject to change.