How the COVID-19 exemption certificate service uses your data and what your rights are.
The Welsh Government is providing a service to provide exemption certificates to individuals who are unable to receive a COVID-19 vaccine and or take lateral flow tests, to ensure they are able to access premises which require evidence of COVID status (usually through the COVID pass).
The Welsh Government will also consider appeals against a decision made by the individuals NHS allergy service or learning disability team that an individual does not qualify for an exemption due to an allergy or learning disability, or against a decision made by the Welsh Government that an exemption cannot be granted on other grounds.
How does the service work?
The Welsh Government, on behalf of the Welsh Ministers, will consider applications from those who are unable to receive a vaccination and take lateral flow tests. The information they provide will be considered by Welsh Government’s senior clinical specialist to determine whether an exemption can be granted. Further information may be requested from the applicant or from the applicant’s GP, specialist or hospital consultant if it is needed to make a decision.
If a decision is made to grant an exemption, the individual will be sent a certificate confirming they meet the requirements to enter a venue or premise where COVID-19 passes are required to enter. It will not specify that this is an exemption certificate.
Individuals may appeal a decision that they are not eligible for an exemption, made either by the NHS or by the Welsh Government.
What is the purpose for the processing of personal data?
Personal data provided by the individual, or by their GP, specialist or hospital consultant will be processed in order to determine whether an individual is clinically unable to be vaccinated and also unable to take a lateral flow test and is eligible for an exemption certificate. The information will not be processed for any other reason.
What does the COVID-19 testing exemption certificate do?
The COVID-19 testing exemption certificate provides citizens who clinically cannot be vaccinated and take a lateral flow test with evidence that they meet the criteria to enter premises where a COVID-19 pass or evidence of a recent negative lateral flow test would normally be requested. The certificate looks similar to the COVID-19 paper pass for domestic use and only confirms that an individual has met one or more of the requirements to enter a premises or venue where passes are a condition of entry. It does not specify on what basis the certificate has been issued.
What do I need to do?
If you believe that you, or someone you care for, is unable to be vaccinated and to take a COVID-19 lateral flow test due to a medical condition, you will need to apply to the Welsh Government for an exemption certificate. You can do this by filling out the online form (provided by Smart Survey), or by filling out the form on gov.wales and sending it to the email address on the form.
The Welsh Government, on behalf of the Welsh Ministers, will be the Data Controllers for the information provided on the application for an exemption certificate or an appeal.
It may be necessary for the Welsh Government to request some additional information about the medical condition from a GP, specialist or hospital consultant. The GP, or local health board are the data controllers for the data they hold; the Welsh Government will become an independent Data Controller for that information once it is shared with us for the purposes of considering an application or appeal.
The personal data we collect and how it is used
In order to assess your application for an exemption certificate, or your appeal about a decision, you will need to provide us with information that will enable us to identify you, and details of the medical condition(s) you believe mean you cannot take a lateral flow test. If you are making an appeal, you will need to provide us with information on your medical conditions and why you think the decision made by your local health board is incorrect.
We also ask you to provide details of your GP, specialist or hospital consultant. This is so we can seek further information from them to help us make a decision about your application or appeal. We will use the information they provide to help us determine whether you can be granted an exemption.
We will also use the information you provide to us to communicate with you about your application or appeal.
Automated decision making or profiling
For the purposes of effective compliance with the requirements of Article 22 of the General Data Protection Regulation (UK GDPR), the Controllers consider that automated decision making is not engaged in this service.
How will my information be shared
We will only share information about you if we need more information about your medical conditions from your GP, specialist or hospital consultant. To do this we will need to provide them with enough information in order for them to identify you from their records, including your name, date of birth, address and NHS number. We may also need to share the information you have provided us about your medical conditions to ensure they are able to provide us with information that will help us make a decision.
If we need to share data about you with your GP, specialist or hospital consultant, we will do this on our secure data-sharing platform.
If you are making an appeal, the information you have provided in support of your appeal will be shared with the Welsh Government’s appeal panel. We will use our secure data-sharing platform to do this. A Data Sharing Agreement will be in place between the Welsh Government (acting on behalf of the Welsh Ministers) and each member of the appeal panel.
Lawful basis for processing personal data
The legal basis for the use of personal data in this service will be:
UK GDPR Art. 6 (1)(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller to meet statutory obligations under Section 2A(1) of the NHS Act 2006, to protect public health; and
UK GDPR Art. 9 (2)(i) processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal projects or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy, underpinned by DPA 2018 – Schedule 1, Part 1, s. 2(2)(f) – health or social care purposes.
How long do we keep your personal data
Personal identifiable data held by Welsh Government will be retained for up to 6 months after a decision has been made on your application, appeal, or second appeal. After this time personal data will be securely destroyed.
We may keep anonymised, statistical data about exemptions and appeals indefinitely, for statistical, management and research purposes. It will not be possible to identify an individual from this data.
Your rights as a data subject
By law, you have rights as a data subject. Your rights under the General Data Protection Regulation and the UK Data Protection Act 2018 apply:
- Your right to get copies of your information – you have the right to ask for a copy of any information about you.
- Your right to update or correct your information – you have the right to ask for any information held about you that you think is inaccurate, to be corrected.
- Your right to limit how your information is used – you have the right to ask for any of the information held about you to be restricted, for example, if you think inaccurate information is being used.
- Your right to object to your information being used – you can ask for any information held about you to not be used. However, this is not an absolute right, and we may need to continue using your information, and we will tell you if this is the case.
- Your right to get your information deleted – this is not an absolute right, and we may need to continue to use your information, and we will tell you if this is the case.
- If you’re unhappy or wish to complain about how your personal data is used, you should contact us in the first instance to resolve your issue. If you are still not satisfied, you can complain to the Information Commissioner’s Office.
If you have concerns about the accuracy of the data relating to medical conditions which may exempt you from vaccination and testing, you should contact the health board for the area in which you live or received treatment. Contact details for them may be found on correspondence from that health board, including any letter or text message you may have received.
If you have concerns that your personal details are incorrect, please check with your GP surgery that they have your correct details in the first instance.
You can also contact any of the Data Protection Officers relating to this service as listed above. Members of the relevant data protection teams will endeavour to get back to you as soon as possible to confirm receipt.
Should you make a request under the UK General Data Protection Regulations, we will require your name and contact details in order to meet out legal obligations to provide you with a response. We will only use this personal information to deal with your request and any matters which arise as a result of it. We will keep your personal information, and all other information relating to your request, for 3 years from the data on which we responded to your request.
We use appropriate technical, organisational and administrative security measures to protect any information we hold in our records from loss, misuse, unauthorised access, disclosure, alteration and destruction. We have written procedures and policies which are regularly audited and reviewed at a senior level.
Changes to our policy
We keep our privacy notice under regular review, and we will make new versions available on our privacy notice page on the Welsh Government website. This privacy notice was last updated on 25 February 2022.
If you have any further questions about how the data provided will be used by the Welsh Government or wish to exercise your rights using the General Data Protection Regulation, please contact the Welsh Government’s Data Protection Officer at:
Data Protection Officer
Welsh Government, Cathays Park, Cardiff, CF10 3NQ,
Rydym yn croesawu gohebiaeth yn Gymraeg / We welcome correspondence in Welsh.
Complaints around the processing
If you wish to make a complaint about the processing of your personal data you should in the first instance contact the Data Controllers of the information.
If you are not happy with the Data Controller’s response, you can contact the Information Commissioner at:
Information Commissioner’s Office
Wycliffe House , Water Lane, Wilmslow , Cheshire, SK9 5AF
Telephone: 0303 123 1113
Fax: 01625 524510
Rydym yn croesawu galwadau a gohebiaeth yn Gymraeg / We welcome calls and correspondence in Welsh.
Appendix: Data processor responsibilities
|Data processor details||Role||Controllers responsible|
Electronic capture of applications for exemptions and appeals
|Welsh Government – to contract|
|Objective Connect||Secure file transmission of additional information from NHS organisations to Welsh Government||Welsh Government – to contract|