In news that is likely to concern individuals and privacy activists alike, it has been reported that the NHS booking system for COVID-19 vaccinations has led to complaints that it could be used to reveal the vaccination status of individuals through the use of simple personal information.

The website allows users to book appointments for COVID-19 vaccinations, either by means of their NHS number, or by entering certain basic personal data, (including names, dates of birth and postcodes).  The website then provides a variety of responses based on the user’s vaccination status, with different responses being provided based on whether the individual has received no vaccinations, one vaccination, or both.

Potentially, this would allow users of the website in the possession of easily accessible personal data of other individuals to discover the vaccination status of such third parties, which could cause them damage and distress of various kinds.  The apparent failure to protect this special category health-related personal data of individuals has raised concerns, with fears that such information could be used by various groups, such as employers, insurance companies or scammers, in a number of ways.

The National Data Guardian for Health and Social Care has reportedly confirmed that it has received communications from concerned individuals, while noting that the website has been created to make booking vaccination appointments as simple and easy as possible.  It has also confirmed that the organizations responsible for the website have been contacted to discuss the concerns raised, together with “the twin important aims of protecting confidentiality whilst maintaining easy access to vaccinations for the public”.  NHS Digital also appears to be taking steps to address the privacy concerns around the booking system.

While, a quick and efficient online vaccination booking system is obviously beneficial in the context of a global pandemic, the possible issues around the website are a salutary reminder to UK-based data controllers of the importance of complying with the requirements of the UK GDPR and Data Protection Act 2018 when designing new systems and services, particularly those that involve the processing of any special categories of personal data, such as health-related data.

Organizations should be mindful of their responsibilities regarding the processing of any sensitive health-related personal information, particularly regarding the identification of appropriate legal bases for processing such data, the provision of comprehensive privacy information to relevant data subjects, purpose limitation, data minimization, security, the principles of data protection by design and default and the importance of conducting robust data protection impact assessments prior to commencing the processing of such data where required, among other things.

It will be interesting to see how privacy issues around the vaccination booking system are addressed and how appropriate protections for individuals’ health-related data are ensured.