Sign In

My Neighbourhood

Use your postcode to find local councillors, facilities, school catchment areas and more.

Find facilities in my area

Cardiff Council

Privacy Notice for use in Vaccination of Care Home, Local Authority and NHS Staff ​

​​​​​​The purpose of this notice

This notice explains how your personal information is processed during the particular circumstances around Covid-19 and the Government’s Test, Trace, Protect Strategy to reduce the incidence of infection. Vaccination is a fundamental approach to public health practice and forms part of the Protect phase of the Government’s Strategy. This notice specifically explains how we deal with your information for the vaccination phase. More information can be found on the Welsh Government website.

What happens next – do you need to provide consent for your information to be shared?

No, you will not be asked for your consent – the legal basis for processing your personal data, including sharing, is covered within this notice.    

You will be contacted for an appointment at a Health Board site or there may be a local drop-in session which you may be able to attend. The Health Board will need to collect some clinical information about you, if they do not already hold it, such as whether you have had a flu vaccination or whether you have any allergies. This information, and that you have chosen to have the vaccination, will be recorded in your medical record and on the Wales Immunisation System (WIS) held by NWIS.

Following vaccination your GP, Local Authority and/or your employer’s Occupational Health department may be informed. This will assist with their legal obligations to manage your own and other people’s health, wellbeing and safety. For the same purpose, your GP, Local Authority and/or employer’s Occupational Health department may also be informed if you have refused to have the vaccination.

What personal data is collected and used?

To assist with the vaccination programme your local Health Board will need to collect personal data.  The data it will collect about you may include:

  • Full name
  • Date of birth
  • Gender
  • Preferred language
  • NHS number (if known)
  • Full Address including postcode
  • Telephone Number
  • Email address
  • Preferred communication method
  • Disability and ethnicity
  • Allergies
  • Vaccination status
  • Immunisation history

Your mobile number will be used to send text reminders and your email will be used as an alternative means to contact you.  Some of this will be supplied to the Health Board vaccination team by your employer in order for the vaccination team to offer you a vaccination, and some will be collected by the vaccination team when it speaks to you.

For how long is the personal data kept?

Vaccination, test results and information related to any ongoing conditions related to Covid-19 will remain in your health record in accordance with NHS retention schedules.

Is the information used for purposes other than vaccinations?

The information collected by the Health Board may also be used to:

  • Understand COVID-19 incidences and trends in order to manage the risks to public health and to control and prevent the spread of COVID-19
  • Identifying and understanding information about patients or potential patients with or at risk of COVID-19
  • Deliver health and welfare services to citizens across Wales
  • Ensuring all staff at all workplaces are safe 
  • Research and planning in relation to COVID-19 (including potentially being invited to be part of clinical trials)
  • Monitoring the progress and development of COVID-19

What is the legal basis for processing your personal data?

In the first instance your employer will rely on the following legal bases under the UK General Data Protection Regulation (UK GDPR) to provide your details to the local Health Board for it to offer you a vaccination:

  • Article 6(1)(c) – Processing is necessary for the compliance with a legal obligation (Health and Safety) to which the Controller is subject (your employer)
  • Article 6(1)(f) – Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.  A Legitimate Interests Test has been applied as part of a Data Protection Impact Assessment (DPIA) to confirm the application of this legal basis. 

Once the Health Board has this information, then the legal basis it will use for processing your personal data for vaccination purposes under UK GDPR is:

  • Article 6(1)(e) – Task carried out in the public interest or in the exercise of official authority vested in the controller (the Health Board)
  • For special category data (health data) an additional legal basis is required and, in this case, there are two applicable:
  • Article 9(2)(h) Provision of preventative or occupational medicine, health or social care or treatment, or the management of health or social care systems
  • Article 9(2)(i) - Processing must be necessary for reasons of public interest in the area of public health (such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices)

Other applicable legislation

There are several other pieces of legislation which allow and enable the organisations to collect and use your data, some of the main ones are:

  • Public Health (Control of Disease) Act 1984
  • Coronavirus Act 2020
  • The Health Protection (Coronavirus Restrictions) (Wales) Regulations 2020

Useful Contacts

You will find details on how the Local Health Board handles all of your information by visiting the Cardiff and Vale privacy policy.

If you have any concerns or complaints over the handling of your personal data you should in the first instance contact the Data Protection Officer at your local Health Board.  For Cardiff and Vale University Health Board, please contact:

Information Governance Department
Cardiff and Vale University Health Board
Ground Floor, Woodland House
Maes-y-Coed Road
CF14 4TT

Tel: 029 2184 5624 E-mail: CAV.IG.Dept@Wales.NHS.UK​

If however you remain unsatisfied you may complain to the Information Commissioner’s Office at:

Information Commissioner’s Office – Wales, 
2nd Floor, Churchill House, 
Churchill Way, 
CF10 2HH

Telephone 033 0414 6421          Email: ​ ​

© 2022 Cardiff Council