top of page

Privacy Statement

1. Purpose

The purpose of this document is to live up to the requirements of the UK GDPR and to ensure a transparent relationship between VUK and its customers.

2. Scope

This document applies to all people external to the company, whose personal data is processed, and the internal staff involved in the processing.

3. Ownership

The document must be approved by the CMO and reassessed each year or after major change (relevant legislation, business modification, …)  by Information Security Manager. 

4. Definitions/Accronyms

  • GDPR:                           General Data Protection Regulation

  • Personal data:             Information that relates to an identified or identifiable individual.

 

5. Contact and data protection officer

Vaccination UK as a registered Data Controller with the Information Commissioner’s Office (ICO – the UK’s regulator for data protection) within tier 2 has registration number Z5818516.

If you have any questions about this notice, or would like to invoke your rights then please contact us on:

 

VACCINATION UK LTD

5 Portmill Lane

Hitchin, Herts SG5 1DJ

United Kingdom

Company number: 03682679

Mail: privacy@elcg.dk

 

Or get in touch with our Data Protection Officer:

GDPR Assist UK LTD

dpo@vaccinationuk.co.uk

6. which personal data do we process and with what purpose

We process your personal data for a variety of purposes as set out in the sections below, which also shows our lawful basis under UK data protection legislation (UK GDPR) for doing so.

6.1 When you visit our websites

6.1.1 Purpose

When you visit our websites, we collect information about your behaviour to obtain statistics on the site use and for marketing on social media.

6.1.2 Legal basis for processing of personal data

The processing of personal data is based on your consent. Please note that you can withdraw your consent at any point.

6.1.3 Categories of personal data

We collect only personal data provided by you, which consists of IP address and your browsing behaviour.

6.1.4 Recipients of personal data

Your information is shared with Meta and Google.

6.1.5 Retention

The information used for statistics purposes is kept for 24 months, after which it is automatically deleted.

6.1.6 Automated decision-making and profiling

The collected personal information is not used for automated decision-making nor profiling.

6.1.7 Cookies

We use cookies on our websites. Please consult our cookie policy for additional information.

6.1.8 Links to other websites

There may be links on our websites that lead to other sites or our partners. We cannot be held responsible for the content of these sites or collection of personal data carried out there and you should read their Privacy Notices for information about their processing.

6.2 When your child gets vaccinated by us

6.2.1 Purpose

Vaccination UK typically receives general parent/guardian contact information from school or NHS, which is then used for collecting information about your child to ensure that we have up-to-date health information about their condition at the time that you are consenting for them to receive an immunisation. Their identity data are used to ensure that we identify and update their electronic health record accurately.

6.2.2 Legal basis for processing of personal data

The personal information is processed because of our legitimate interests in managing the vaccination programme on behalf of your local authority and the NHS.  We process your child’s health related information for the purpose of delivering preventative medicine and the provision and management of healthcare in accordance with UK GDPR and the Data Protection Act 2018.

6.2.3 Categories of personal data

We ask for basic identity data (e.g. name, date of birth, school etc) to allow us to identify the child and their health record. The information about their health is utilised by nurses to ensure that they can confirm that the immunisation is suitable for them and also update their health record with details of the vaccination(s) provided.

6.2.4 Recipients of personal data

Your child’s data will be shared securely with their General Practitioner (GP) and with the child health information system (CHIS) which holds immunisation and screening information for all children in the UK. Some of the information might be also processed by a limited number of technology providers who support our service delivery (see Who Do We Share Your Personal Data With below). It is not shared with anyone else.

6.2.5 Retention

The information will be stored on their electronic health record after their vaccination; this information will be then available throughout their lifetime. Their paper records will be destroyed once they have been scanned onto their digital record.

6.2.6 Automated decision-making and profiling

The collected personal information is not used for automated decision-making nor profiling.

6.3 When you call our support

6.3.1 Purpose

When you call our support, we process the provided personal information with the purpose of resolving your query (e.g., making an appointment or providing information about vaccination).

6.3.2 Legal basis for processing of personal data

Your data are processed because we have a legitimate interest in managing and responding to your query.  If any special category data are included (such as health related data) then we process those for the purpose of delivering preventative medicine and the provision and management of healthcare in accordance with UK GDPR and the Data Protection Act 2018.

6.3.3 Categories of personal data

We strive to collect only information that is absolutely necessary to resolve your request – usually though it will include identity and contact details (name, date of birth, etc), name of school and guardian(s), as well as relevant elements of medical history.

6.3.4 Recipients of personal data

The personal data remain within our control and is not shared with third parties other than the technology providers who support our service delivery (see Who Do We Share Your Personal Data With below).

6.3.5 Retention

The personal data will be deleted when it is no longer relevant, in most cases, within 12 months of the request getting resolved.

6.3.6 Automated decision-making and profiling

The collected personal information is not used for automated decision-making nor profiling.

6.4 When you write an email to us

6.4.1 Purpose

When you write to us, we process the provided personal information with the aim of solving the query you have approached us with.

6.4.2 Legal basis for processing of personal data

Your data are processed because we have a legitimate interest in managing and responding to your query.  If any special category data are included (such as health related data) then we process those for the purpose of delivering preventative medicine and the provision and management of healthcare in accordance with UK GDPR and the Data Protection Act 2018.

6.4.3 Categories of personal data

We strive to collect only information that is absolutely necessary to resolve your request – usually though it will include demographic details (name, date of birth, …), name of school and guardian(s), as well as relevant elements of medical history.

6.4.4 Recipients of personal data

The personal data remain within our control.

6.4.5 Retention

The personal data will be deleted when it is no longer relevant, in most cases, within 12 months of the request getting resolved.

6.4.6 Automated decision-making and profiling

The collected personal information is not used for automated decision-making nor profiling.

6.5 When you visit our social media websites

6.5.1 Purpose

We, Meta, LinkedIn, and Twitter collect and process your personal data when you visit or interact with company pages ("fan pages") or profiles. The purpose of the processing is to be able to market ourselves to potential customers, retain inquiries and similar related purposes.

We follow the ICO's current guidelines regarding shared data responsibility and strive to ensure that visitors to our social media pages receive information about personal data. At present, this entails, among other things, that we continuously try to enter into a dialogue with our suppliers regarding the regulation of joint data responsibility and the distribution of responsibilities. As mentioned below in this policy, visitors to our social media pages also have the opportunity to exercise their rights, e.g. the right to access, the right to object and the right to deletion.

Note! If you do not want your information to be processed, please refrain from visiting our social media pages, as it is not currently possible for us to change our partner’s data collection settings.

6.5.2 Legal basis for processing of personal data

The processing of personal data is based on legitimate interest taking into consideration balancing of interests. Information that would require consent is not processed.

6.5.3 Categories of personal data

Typically, we collect contact information in the form of name, email or phone number. If we receive sensitive information/special categories information, it will be deleted as soon as it comes to our attention.

6.5.4 Recipients of personal data

Apart from the social media owner your personal data are not shared.

6.5.5 Retention

Since the personal data published on the social media pages are provided directly by you on our publicly accessible page, the information will initially remain on the page as long as it exists. As the submitter of the information, you can always object to the balancing of interests, with a view to having any postings deleted.

6.5.6 Automated decision-making and profiling

The collected personal information is not used for automated decision-making nor profiling.

6.6 When you report a medical problem or launch a complaint

6.6.1 Purpose

When you report a medical problem or launch a complaint with us, we process the personal data with the purpose of handling and resolving the query.

6.6.2 Legal basis for processing of personal data

The processing of personal data is based on legal obligations.

6.6.3 Categories of personal data

We ask for basic demographic data together with relevant medical information.

6.6.4 Recipients of personal data

We may share your personal information with the public institutions (NHS, CQC).

6.6.5 Retention

The report/complaint together with its associated information is kept for 3 years after which it is deleted.

6.6.6 Automated decision-making and profiling

The collected personal information is not used for automated decision-making nor profiling.

7. Who do we share your personal data with

We utilise a number of external companies and services that process personal data on our behalf – they serve as ‘data processors’ for us. Every single one of our data processors has entered into a data processing agreement with us, which ensures that our stipulated requirements for the protection of personal data are followed. The commonality in these agreements is that the data is only transferred, i.e. it remains under our control and cannot be used by the external party for their own purposes.

To the extent possible we engage data processors based within the UK or EU/EEA, so that the personal data is not transferred to unsafe third countries. In certain cases, however, we use data processors in the USA, but only if they meet the applicable requirements according to the UK GDPR and we always ensure we have appropriate mechanisms and safeguards in place.

In extraordinary circumstances, under legitimate interest or legal obligations, we may disclose personal data to external organisations. These may be insurance companies, tax or law enforcement authorities and the like. In such situation, they become data controllers for the personal data they receive from us, as they themselves determine the purposes of processing etc.

8.    How do we keep your data secure

We take sensible steps to keep your data secure and ensure we can uphold your rights and meet our obligations under UK GDPR:

  • Data processed on our systems are encrypted both while in transit and at rest

  • Systems themselves are hardened and regularly tested for technical weaknesses

  • Physical protections are put in place to prevent unauthorised access

  • Access to personal data is provided only to staff with a legitimate need and a strong authentication (with multiple factors) is enforced.

  • Our employees are all DBS checked, subject to an obligation of confidentiality, and receive training on data protection matters

  • We ensure that appropriate contracts are in place with our suppliers who process your personal data to protect your rights, to ensure that they take appropriate security measures to safeguard your data, and that any international transfers are done correctly under UK GDPR

 

9. Data subject rights

You have a number of rights relating to the processing of your data (see details below), if you would like to use them or have any questions then please contact us at gdpr@elcg.dk.

We won’t charge you for handling your request, however we may reject it or require a compensation in case of frequent, repeated or unfounded requests.

9.1 Right to be informed about the collection and use of personal data

You have the right to be fully informed about why and how we process your information.  This privacy notice is intended to meet that requirement, but please do contact us if you have any questions.  If we obtain your personal data from a third party (e.g. a social media platform) then we will tell you where we have obtained your information from.

9.2 Right to access personal data

You have the right to request a copy of the data we hold about you.

9.3 Right to restrict the processing of personal data

You have the right to ask us to restrict the processing of personal data whilst we check its accuracy: if you think the processing is unlawful; if you believe we no longer need to process the data but you need us to store it due to pending legal claims; or when you object to our processing based upon our legitimate interests and we are assessing the validity of that.

9.4 Right to erase data

You have the right to ask us to delete the data we hold about you.  Where we are holding the data to fulfil a legal obligation or a contract with you or your organisation then we will need to retain the data in accordance with the data retention requirements shown above.

9.5 Right to rectify inaccurate or incomplete personal data

If you believe some of the data, we hold is wrong or incomplete then you have the right to ask us to correct it.

9.6 Right to data portability

You can request a copy of your data in a digital format which you can then supply to another provider when we ae processing your personal data.

9.7 Right to object to automated decision-making and profiling

You have the right, in certain circumstances, not to be subject to decisions based on automated processing (including profiling) if it has a significant or legal impact on you.  This doesn’t apply if the processing is necessary to fulfil a contract with you, or if you have given us your consent to do so.  We do not currently use any technology to make automated decisions about you.

9.8 Right to complain

You are always welcome to reach out to us at the address provided above if you have a question or would like to complain about our handling of your personal information. Should you not be satisfied with our response, you can launch a complaint with the Information Commissioner’s Office (ICO) on their helpline 0303 123 1113 or online at www.ico.org.uk.

Please note that the ICO will normally ask you to contact us first.

VUK-Logo-Horiz_edited.jpg

We are rated Good by the Care Quality Commission and we are known as a progressive, agile provider, continually striving to achieve the safest, most efficient service possible.

The CQC Registered Manager for NHS commissioned services is Amanda Schiller, Clinical Director for Vaccination UK Ltd. She is the Governance Lead for these programmes, and her base is Head Office, 5 Portmill Lane, Hitchin, Hertfordshire.

bottom of page