• Safe & Effective
  • Kind & Caring
  • Exceeding Expectation
Vaccination as a Condition of Deployment

Data Controller: Vaccination as a Condition of Deployment

The Royal Wolverhampton NHS Trust (RWT) is expanding the scope of data processing to include verification of COVID-19 vaccination for frontline employees and other persons engaged to deliver frontline NHS services. Data processing for this purpose is known as Vaccination as a Condition of Deployment (VCOD).

Amendments to the Health and Social Care Act 2008 (Regulated Activities) Regulations 2014 (“the 2014 Regulations”) will take effect from 1 April 2022. These amendments will apply to CQC regulated activity and will therefore constrain RWT to only employ or engage persons who have completed an authorised course of COVID-19 vaccination, or possess a NHS COVID Pass.

Subject to medical exemptions (see the section ‘Processing and Verifying Medical Exemptions’), employees and engaged persons aged 18 and over, who have direct face to face contact with NHS service users, will have to provide evidence of completing a course of COVID-19 vaccination approved by the Medicines and Healthcare products Regulatory Agency (MHRA).

Return to top

To enable RWT implement amendments to the Health and Social Care Act 2008 (Regulated Activities) Regulations 2014 (“the 2014 Regulations”), and encourage COVID-19 vaccine take up, personal data of all employees may be processed. 

Scope of processing is necessary to:
  1. Ascertain the particulars of employees and other engaged persons who fall within the scope of regulation, for mandatory COVID-19 vaccination 
  2. To verify COVID-19 vaccination
  3. Encourage COVID-19 vaccination across the workforce
Personal and Special Category Data to be processed
  • Name and title – Personal data
  • Home address – Personal data
  • Email address – Personal data
  • Telephone and mobile number – Personal data
  • Date of Birth – Personal data
  • Gender – Personal data
  • Ethnicity – Special category data
  • Health data (including NHS number) – Special category data
  • Religious, political, and philosophical beliefs – Special category data

Return to top

RWT will harness the functionality of NHS digital assets to collect, organise, consult, record, transmit, disclose, restrict, and retain evidence of employee COVID-19 vaccination or medical exemption. 

Information Assets and Tools used for VCOD processing:
  • Microsoft Office 365 suite
  • Electronic Staff Record (ESR) Database
  • National Immunisation & Vaccination System (NIVS) Database
  • National Immunisation Management System (NIMS) Database

The Workforce Information Team will cross reference information from ESR against NIVS and/or NIMS. Data will be structured by relevance and may be disclosed to authorised recipients (see the section ‘Who Can See my VCOD Data’) in read only format, accompanied by strict non-disclosure conditions.

Lawful Basis for Processing VCOD Data
RWT will process VCOD data lawfully, applying the following personal and special category lawful basis in the UKGDPR:

Lawful Basis for Processing Personal Data Lawful Basis for Processing Special Category Data

Article 6(1)c
Processing is necessary for compliance with a legal obligation to which RWT is subject.

Article 9(2)h
Processing is necessary for the purposes of preventative or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of UK law or pursuant to contract with a health professional and subject to conditions and safeguards.

Processing and Verifying Medical Exemptions

Not everyone will be able to get vaccinated against COVID-19. 

Visit COVID-19 medical exemptions: proving you are unable to get vaccinated to see:
  • Reasons you could get a medical exemption
  • How to apply for a medical exemption

Once a medical exemption has been approved, you will be given a NHS COVID Pass, which will not disclose the medical reason for exemption and our Workforce Information Team will be able to verify your NHS COVID Pass, by cross referencing against NIVS or NIMS (see the section 'How RWT will Process VCOD')

Return to top

In upholding the principle of data minimisation, we have restricted disclosure of identifiable VCOD data. Recipients of VCOD data are split into two groups as follows:

Group VCOD Data Disclosure
Group A
  • Relevant Group Manager
  • Relevant Service Manager
  • Relevant HR Manager
  • Covid Vaccination Managers
  • Modern Matrons (restricted to those who appear on the authorised signatory list)
  • The Occupational Health Service

Identifiable VCOD data (see the section ‘Whose Personal Data and What Personal Data Will be Processed’)

Group B
  • Trust Board
  • Chiefs
  • Directors and Deputy Directors
  • NHS England

Aggregate VCOD data only (further restriction will be placed on aggregate VCOD data reporting, to prevent inadvertent disclosure of identifiable personal information for teams with ≤ 7 employees)

Return to top

If we need to use your information for any reasons beyond those stated above, we will discuss this with you and ask for your explicit consent. The Data Protection Act 2018 gives you certain rights, including the right to:

  • Request to access the personal data we hold about you, e.g. Personnel records (see “How to access your personal data” below)
  • Request the correction of inaccurate or incomplete information recorded in our records, subject to certain safeguards
  • Request that your information be deleted or removed where there is no need for us to continue processing it and where the retention time has passed
  • Ask us to restrict the use of your information where appropriate
  • In the limited circumstances where you may have provided your consent to the collection, processing and transfer of your personal information for a specific purpose, to withdraw your consent for that specific processing at any time
  • Challenge any decisions made without human intervention (automated decision making)

We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.


The Right of Access
You have the right to request a copy of any information held by the Trust as well as any supplementary information. See Can I Access my VCOD Data? for details on how to request your information.

Return to top

You have a right to see or have copies of any information held by the Trust that relates to you, free of charge. We have the right to charge an administration fee in situations where repeated requests are received for the same information or the request is excessive. You will be required to prove your identity when making requests.

Subject Access Requests under GDPR rules will be processed within 30 days. However, once our teams have established the volume of records requested there may be a requirement to extend this up to a further 2 months. We will contact you within 30 days should this be the case. To request access to the data we hold about you, please contact the HR Department. Email: rwh-tr.hrgovernance@nhs.net. Please note, to request access to your personal file, please request this through your line manager, in line with HR09 - Personal Files Policy.

Please remember to include details of the information you require and your contact details. If you are a current member of staff, you will be required to provide your Trust identification badge number. If you are an ex-member of staff or external requestor, we will require sight of your passport or photo driving licence together with a document showing your name and address (e.g. utility bill).

Return to top

Your personal information is held in paper and electronic formats, for specified periods of time as set out in the Record Management Code for Practice for Health and Social Care 2016, retention schedules.

We hold and process your information in accordance with the General Data Protection Regulation (GDPR) in conjunction with the Data Protection Act 2018. In addition, everyone working for the NHS must comply with the Common Law Duty of Confidentiality and various national and professional standards and requirements.

We have a duty to:
  • Maintain records about you in accordance with retention guidelines
  • Keep records about you confidential and secure
  • Provide information in a format that is accessible to you

Your personal information will only be kept for as long as is necessary and will be destroyed in accordance with the retention schedule and relevant Trust policies.

Return to top

Email: rwh-tr.hrgovernance@nhs.net or Tel: 01902 307999 Ext.4162

You also have a right to complain directly to the Information Commissioner’s Office if you feel the Trust has not responded effectively to any of the above.

Information Commissioners Office
Wycliffe House
Water Lane

Telephone: 0303 123 1113
Website:  https://ico.org.uk/

Return to top

A Teaching Trust of the University of Birmingham