Guidance

[Withdrawn] Get vitamin D supplements: privacy notice

Published 12 January 2021

This guidance was withdrawn on

This page has been withdrawn because it’s no longer current. Read more about living safely with coronavirus (COVID-19).

Applies to England

© Crown copyright 2021

This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.

Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.

This publication is available at https://www.gov.uk/government/publications/vitamin-d-opt-in-service-for-vulnerable-groups-privacy-notice/get-vitamin-d-supplements-privacy-notice

About this notice

This privacy notice explains how personal information is used to provide a free 4-month supply of vitamin D supplements to high-risk groups.

Eligible persons will receive a letter from the Department of Health and Social Care (DHSC) or the NHS offering them a choice to receive a free 4-month supply of vitamin D supplements. This would be done through opting-in to the service by entering their details (or having someone enter their details for them) on a webform that is managed on behalf of DHSC by NHS Digital.

Those who opt-in will be sent a one-off 4-month supply of daily vitamin D supplements free of charge from January 2021. This service is referred to in this document as the ‘service’. The distribution of the vitamins will be managed by a partner provider who is acting on behalf of DHSC.

In this privacy policy:

  • ‘we’ or ‘us’ means DHSC
  • ‘you’ or ‘your’ means you: a member of the public who is using the service
  • the ‘partner provider’ or ‘distributor’ means the company contracted by the DHSC to deliver the vitamin D supplements to eligible persons
  • the ‘SofS’ means the Secretary of State for the Department of Health and Social Care.

This privacy notice tells you what information will be shared by NHS Digital with DHSC and the partner provider and how it is used to provide the service, including your rights and how to contact us.

The service and who we are

If you opt-in to receiving supplements, you acknowledge that NHS Digital may share the details you provide through the service with the DHSC and the partner provider working on behalf of DHSC to provide you with vitamin D supplements.

NHS Digital is the controller for the personal information collected and processed as part of this service under the General Data Protection Regulation (GDPR) and Data Protection Act 2018 (DPA 2018). This includes collecting information through the opt-in form and checking that those who have registered are on the clinically extremely vulnerable (CEV) patient list and are over 18 years old.

NHS Digital will only share the name and address you provide in the opt-in form with the partner provider to enable them to deliver the supplements to you.

In the unlikely event that a safety issue needs to be communicated to you, DHSC may require NHS Digital to share your address and/or email address with DHSC so that we, or a communications partner acting on our behalf, can contact you directly.

When NHS Digital share your details with the partner provider or with DHSC, DHSC is the controller for processing your personal information.

DHSC’s legal basis for directing NHS Digital to process and share data for the purpose of delivering the service is Regulation 3 of Health Service (Control of Patient Information) Regulations 2002 (COPI) and s2A NHS Act 2006 Secretary of State’s duty as to protection of public health.

DHSC and the distribution partner acting on behalf of DHSC’s legal basis for processing your personal information under the GDPR is:

GDPR Article 6 (1) (e) – processing is necessary for the performance of a task carried out in the public interest, where the SofS has directed for the service to be offered to CEV patients and where you choose to opt-in to receive vitamin D supplements.

The DHSC’s legal basis for processing personal information concerning health under GDPR is:

GDPR Article 9 (2) (i) – processing is necessary for reasons of substantial public interest in the area of public health, where the SofS has directed for the service to be offered to CEV patients specifically, and Schedule 1 Part 1 DPA 2018, paragraph 3 Public Health.

DHSC have in place an appropriate policy document for this service, which is required under the DPA 2018 in order to process the information we collect about your health (or special category data). This provides information about our procedures for complying with the data protection principles under GDPR and explains how long we will retain your information for.

How we use your personal information and why

The processing of your personal information is necessary to provide you with the service and to ensure the functionality of the service.

NHS Digital collect the following personal data from you if you opt-in to the service:

  • name

  • NHS Number

  • date of birth

  • contact email address (optional)

  • preferred delivery address

To check that you are on the shielded patient list

NHS Digital will use your NHS number and date of birth to check that you are on the shielded patient list and are entitled to receive this service.

For more information about how NHS Digital use your data for the shielded patient list see the shielded patient list transparency notice.

To contact you by email

If you provided NHS Digital with a contact email address when you opted in to the service, you will receive an email communication in January 2021 from NHS Digital on behalf of the DHSC to inform you whether your application for vitamin D supplements was accepted, and provide you with a reference number and contact details in case you need to contact the DHSC about your supplements.

If you do not provide an email address for NHS Digital they will not be able to provide you with the above information, however if you are eligible you will still receive the supplements.

To give your details to distributor, who are supplying the service on behalf of the DHSC, so you receive the vitamin D supplements

DHSC will direct NHS Digital to share the name and address you provide in the opt-in form and your reference number with the partner provider so they can deliver the supply of vitamin D supplements to you. The partner provider will not receive your email address.

In the event that a safety issue needs to be communicated to you, DHSC may require NHS Digital to share your address and/or email address with DHSC so that we, or a communications partner acting on our behalf, can contact you directly.

To produce reports

NHS Digital will provide anonymous data (for example, statistical reports and eligible sign-ups which does not allow you to be identified) with DHSC. This will be used to understand service usage, and performance.

NHS Digital will also provide DHSC with reports which include reference numbers (but not names and addresses). This will be used to understand how many deliveries the partner provider will need to make and enable delivery tracing where necessary.

The partner provider will provide DHSC with data on the deliveries that have taken place. This will include reference numbers and the batch number for the product provided. It will not include names or addresses.

To trace your delivery

The partner provider will record the batch number for the vitamin D product supplied to you. In the event there is a safety issue, this will enable any faulty products to be traced and for any necessary information to be communicated to you, or to DHSC.

If you get in touch with DHSC because you have not received your vitamin D supplements within the indicated timeframe (this will be detailed in the email you receive from NHS Digital in January 2021) you will be asked to provide your reference number. DHSC will share your reference number with the partner provider to check the progress of your delivery, and where necessary arrange for another delivery of supplements to your preferred delivery address as provided on the opt-in form.

If you get in touch with DHSC with a query, we will not ask you to provide any personal information, only your reference number. If you share any personal information as part of your email query, DHSC will not share the information further.

Who your personal information is shared with

The personal information you provide to NHS Digital will be shared with DHSC and DHSC’s partner provider in order to supply you with the vitamin D supplement only. It will not be used for any other purposes.

How long your personal information is kept for

Your personal data will be held for as long as necessary to operate the service. Data shall be retained in line with NHS Digital and DHSC Retention policies.

The partner provider will retain your personal data until 31 March 2021.

DHSC and NHS Digital will retain your personal data for a 2-year period from the end of the service (31 March 2023) to enable us to deal with queries and to contact you if necessary.

Where we store your personal information

DHSC will routinely store anonymised statistical reports and reports containing reference and product batch numbers relating to the service. DHSC may also need to store additional personal information in the event of a safety issue. Personal data collected for the service will be stored and processed in the United Kingdom.

The partner provider will be required to store your data securely in the United Kingdom and only for the timeframe above. This will be outlined in the data processing schedule of the contract between the partner provider and the DHSC.

Your rights over your personal information

By law, you have rights as a data subject. Your rights under the GDPR and the UK DPA 2018 apply. 

Your right to get copies of your information

You have the right to ask for a copy of any information about you that is held or controlled by DHSC. 

Your right to get your information corrected

You have the right to ask for any information held about you that you think is inaccurate to be corrected. 

Your right to limit how your information is used

You have the right to ask for any of the information held about you to be restricted – for example, if you think inaccurate information is being used. 

Your right to object to your information being used

You can ask for any information held about you to not be used. However, this is not an absolute right, and we may need to continue using your information. We will tell you if this is the case. 

Contact DHSC

If you have any queries in relation to the use of your personal information in connection with the service, or if you want to exercise any of your rights above, please contact data_protection@dhsc.gov.uk.

The Data Protection Officer for DHSC is Lee Cramp, who can be contacted by sending an email to data_protection@dhsc.gov.uk.

Contact the Information Commissioner

If we are unable to resolve any queries or concerns in relation to the use of your personal information in connection with the service, you can raise your concern with the Information Commissioner. You can contact the Information Commissioner’s Office:

  • using the ICO’s contact service
  • by calling 0303 123 1113
  • by writing to the Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

Changes to this notice

The terms of our privacy policy may change from time to time. Any updates to the privacy policy will be published on GOV.UK.

Back to top