With the UK adhering to the EU General Data Protection Regulation (GDPR) regulation, there may be concerns regarding the use of vaccination reminders by surgeries.

GDPR is intended to strengthen and unify personal data protection, returning control to citizens and residents over their personal data.


GDPR contexts covering the use of patient data:

Opted In

If there is explicit consent, such as patients having signed a form agreeing to the receipt of SMS messages and phone calls, then a Surgery sending out vaccination reminders is acting well within the GDPR compliance guidelines.

Implicit Consent

Some practices assume that because the patient has provided a phone number, they are implicitly providing consent to be contacted for the benefit of their health, an example being the Ecclesfield GP GDPR Statement.

This is not strictly within GDPR guidelines, as it falls short of what is described as ‘unambiguous consent’ – the way in which consent is obtained should leave no room for doubt about the patient’s wishes when consenting.

In the context of ‘unambiguous consent’, the patient should have been made aware at the time of providing their phone number that it would be used to supply health information or reminders via SMS or by phone call. This ‘unambiguous consent’ needs to be demonstrable and recorded.

Legitimate Interests

In this context there is likely legal justification for notifying patients with vaccination reminders, where the patient has provided a phone number, as it will provide them the best health outcome.

According to the Information Commissioner’s Office (ico.org.uk), ‘legitimate interests’ may apply when:

  • It is of a clear benefit to you or others;
  • There’s a limited privacy impact on the individual;
  • The individual should reasonably expect you to use their data in that way; and
  • You cannot, or do not want to, give the individual full upfront control (i.e. consent) or bother them with disruptive consent requests when they are unlikely to object.

Notifying patients with vaccination reminders is easily demonstrable as being of benefit, and generally patients would welcome being reminded – the success of reminder campaigns carried out by X-on over many years is testament to that.

We believe that vaccination reminders are arguably of ‘legitimate interest’ to patients who have provided their phone number, and as such are GDPR compliant. This is not legal advice of course, as we are not suitably qualified, but our opinion. Until this is tested in court we cannot argue ‘legitimate interest’ definitively, but feel confident vaccination reminders qualify.

Data Security

X-on stores all patient data at the highest available levels of encryption. Our industry security accreditations are regularly audited ensuring we comply with, and exceed, NHS requirements. We have ensured all our systems are fully GDPR compliant.

Specific Considerations:

  • Patient data is only held on UK based servers
  • X-on are fully compliant with the Data Protection Act 2018 and GDPR
  • Patient data is only used for notifying a patient’s influenza vaccination eligibility by SMS or telephone
  • At the end of the process patient data is erased from X-on servers
  • Patient data is not used for any other purpose other than vaccination reminders
  • Patient data is not shared outside of X-on
  • All staff employed by X-on have signed confidentiality agreements

X-on maintains accreditations with:

  • ISO 9001 (Quality Management of Systems requirements)
  • ISO 27001 (information security standards)
  • ICO (data protection act compliance)
  • DSP Toolkit (NHS data security standards)
  • SBS CARAS2 Framework
  • Crown Commercial Service Supplier

For further information on GDPR compliance please call Sales on 0333 332 0000.