Covid-19: Complaints after England booking site reveals vaccine status
The NHS is revising the booking system for Covid-19 jabs in England after complaints that it could reveal individuals’ vaccination status.
By entering details such as their name, date of birth and postcode it may be possible to work out if another person has been given both doses, one or none.
Privacy campaigners Big Brother Watch called it a “shocking failure”.
NHS Digital said the system had no direct access to medical records and allowed millions to quickly book jabs.
The flaw in the website was first revealed by the Guardian, which said it could allow employers to monitor their workers’ vaccination status or put people at risk of peer pressure from anti-vaccination friends and colleagues not to get the jab.
The website allows people to book appointments without using their NHS number, by entering their name, date of birth and postcode.
But it gives different results depending on whether the individual has already had two doses, one or none, allowing another user to quickly determine other people’s vaccination status.
- How old do I have to be to get my vaccine?
- NHS Covid-19 app update blocked for breaking rules
- Confusion over use of NHS App as Covid passport
In the case of someone who has had both doses it currently says: “You do not need to book any coronavirus (COVID-19) appointments using this service.” The Guardian earlier reported that it said “you have had both of your appointments”.
For people who have had one dose, the site presents a screen referring to their booking for a second appointment.
And for those who have not had any jabs, it goes to a standard screening page.
Silkie Carlo, director of Big Brother Watch, said it is “a seriously shocking failure to protect patients’ medical confidentiality at a time when it could not be more important”.
She said the data was “exposed to absolutely anyone to pry into” because date of birth and postcode information can easily be found or bought.
“The system does not provide access to anyone’s medical records and people should not be fraudulently using the service – it should only be used by people booking their own vaccines or for someone who has knowingly provided their details for this purpose.”
“This is personal health information that could easily be exploited by companies, insurers, employers or scammers,” Ms Carlo said.
“Robust protections must be put in place immediately and an urgent investigation should be opened to establish how such basic privacy protections could be missing from one of the most sensitive health databases in the country.”
The National Data Guardian for Health and Social Care, which advises healthcare organisations about handling personal data, said it had been contacted by some people with concerns about the way the NHS booking site works.
“It is important that it is as simple and easy as possible for people to book their vaccinations and we understand that the website has been developed to support this aim,” a spokeswoman for the Office of the National Data Guardian said.
But the spokeswoman said the organisations responsible for the site had been contacted to raise its concerns and discuss “the twin important aims of protecting confidentiality whilst maintaining easy access to vaccinations for the public”.
NHS Digital said it was revising the messages used by the booking system to improve privacy, but suggested that conclusions about someone’s vaccine status from entering other people’s data would not always be accurate.
The online booking system enabled millions of people to book their vaccinations quickly and easily, it said.
A spokesperson said: “This is making a significant impact on the management and containment of the pandemic and is saving lives.
“The system does not provide access to anyone’s medical records and people should not be fraudulently using the service – it should only be used by people booking their own vaccines or for someone who has knowingly provided their details for this purpose.”
Comments are closed.