© Crown copyright 2021
This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: firstname.lastname@example.org.
Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.
This publication is available at https://www.gov.uk/government/publications/get-support-if-youre-clinically-extremely-vulnerable-to-coronavirus-privacy-notice/get-coronavirus-support-as-a-clinically-extremely-vulnerable-person-privacy-notice
The service to support people who are clinically extremely vulnerable to coronavirus (COVID-19) is now closed and all personal information has been deleted. This includes:
- personal information individuals provided when they registered on the service
- personal information collected when individuals contacted us with queries
The Cabinet Office, as the data controller for the service and personal information, has ended all Data Sharing Agreements with organisations that we have shared information with during the emergency response to COVID-19, such as supermarkets and local authorities. As part of this we have issued instructions for those organisations to stop using and to delete the information we shared with them.
This service was run by the Cabinet Office, working with:
- the Ministry of Housing, Communities & Local Government
- the Department for Environment Food & Rural Affairs
- the Department for Work & Pensions
- the National Health Service (NHS)
This privacy notice explains what personal information we collected before the service closed and how it was processed.
What personal information we collected
The NHS provided us with personal information about individuals who are clinically extremely vulnerable to coronavirus. This included:
- date of birth
- phone numbers
- NHS number
We collected the following information through the online service and automated telephone system when individuals registered for shielding support:
- date of birth
- email address
- contact details
- NHS number
- details of the support you needed (for example, care needs or help getting essential supplies)
In the early stages of the pandemic, we also received information from participating supermarkets about individuals that they had not been able to match against their customer databases.
Lawful basis for processing your personal information
Under the UK General Data Protection Regulation (GDPR) and Data Protection Act 2018 we processed this information on the basis that we were carrying out a task in the public interest.
Some of the information we held was sensitive health and care information. This was classed as ‘special category’ personal data, as set out in Schedule 1 of the UK Data Protection Act 2018. This meant that we required a further lawful basis for processing it. We relied on substantial public interest and governmental purpose to process the special category personal data.
What we did with your information
When individuals submitted information through the online service or the automated telephone service, we compared it to information shared with us by the NHS to confirm they had been identified as clinically vulnerable to coronavirus.
We used the information to determine individuals’ support needs and, where necessary, we shared this information with other public and private sector organisations supporting the shielding programme to ensure those needs were met. This included:
- local authorities so they had accurate information on clinically extremely vulnerable people in their area and could provide support to people who needed it
- participating supermarkets until the end of June 2021, so they could prioritise shopping orders for those who have previously registered and indicated that they need help getting supplies (when we did this, we shared only the minimum information necessary to get support to individuals as quickly as possible - and we did not share confidential health and care information)
- food wholesalers so they could deliver food boxes to those who requested them - this only happened until August 2021
- the Department for Work and Pensions (DWP) who ran the outbound call centre to contact people who were known to be vulnerable to coronavirus but had not registered on the service
Where individuals contacted us about the service, we asked them to confirm some of the information they provided when they registered to confirm their identity.
In some cases we used individuals’ contact details to ask for feedback on the service.
In periods where shielding was suspended, we used the information to make sure that we had accurate, up to date records and to maintain a level of readiness should service have been needed again.
We used the data to produce anonymised information and share this information with other government departments to improve services, understand changing patterns of support needs or identify new support needs. The data we shared for this purpose did not identify anyone personally.
How long we kept your information
At the start of the service we committed to only keeping your personal information for as long as we needed it to help with the overall government response to coronavirus. We kept these arrangements under review throughout the pandemic to make sure our retention of this information remained appropriate and proportionate.
We have now determined that we no longer need to retain this information and have therefore deleted it. Where we shared information with other organisations, we have terminated all Data Sharing Agreements and issued instructions for those organisations to stop using the information and to delete it.
Where your information was processed and stored
Your personal information was stored within the European Economic Area (EEA).
How we protected your information
We set up systems and processes to prevent unauthorised access to or disclosure of the data we collected. For example, we protected the data using varying levels of encryption. All third parties that processed personal information as part of delivering the service were required to keep that information secure.
While the service was open for new registrations, users had the option of creating an NHS login to confirm their identity when they used the service online.
By creating and using an NHS login, individuals provided personal information to NHS Digital. NHS Digital is the data controller for any personal information provided to create or access NHS login. Our role was as a processor of this information - meaning that we acted according to NHS Digital’s instructions when processing this information.
See the NHS login privacy notice for details.
In certain circumstances individuals had the right to ask for their information to be deleted by contacting us. We reserved the right to refuse such requests if we believed the information was needed as part of the emergency response to coronavirus.
Individuals also had the right to request:
- information about how their personal information was processed, and to request a copy of that personal data
- that any inaccuracies in their personal information were rectified without delay
- that any incomplete personal information was updated
- that the processing of personal information was restricted in certain circumstances - for example, where accuracy was contested
Individuals also had the right to object to the processing of their data.
Questions and complaints
The contact details for the data controller are:
Cabinet Office (Government Digital Service)
The White Chapel Building
10 Whitechapel High Street
London, E1 8QS
The contact details for the data controller’s Data Protection Officer are:
Stephen Jones, Data Protection Officer
London, SW1A 2AS
Or email: email@example.com.
The Data Protection Officer provided independent advice and monitoring of Cabinet Office’s use of personal information.
If you consider that your personal information was misused or mishandled, you can still make a complaint to the Information Commissioner, who is an independent regulator.
The Information Commissioner can be contacted at:
Information Commissioner's Office
Cheshire, SK9 5AF
You can also contact them by phone on 0303 123 1113 or by email: firstname.lastname@example.org.
Any complaint to the Information Commissioner won’t affect your right to seek redress through the courts.
Changes to this notice
We changed this privacy notice on several occasions during the lifetime of the service as circumstances changed. When we did this we changed the ‘last updated’ date at the top of the page and where necessary, took further reasonable steps to make sure individuals were made aware of the changes.