Skip to main content

National booking service staff applications – Privacy policy (MYA)

This Privacy Policy refers to the Manage Your Appointments (MYA) staff application in the National Booking Service (NBS). MYA is replacing the current appointment management application QFlow and is a technical component of the NBS in supporting the purpose of managing appointment bookings.

1. About this privacy notice

The Privacy Policy of the National Booking Service can be read here National booking service staff applications – Privacy policy - NHS. It currently includes the appointment booking application QFlow Console until it is decommissioned.

The Privacy Policy of the National Booking Service (NBS) includes following information:

  • Why we collect information about you (we call this “personal data”)
  • What we do with it, including who we share it with
  • How long we keep it for and where we store it
  • Our legal basis for using it
  • What your data protection rights are.

To read more about how NHS England uses personal data to improve health and care, see Transparency Notice: how we use your personal data.

2. About the Manage Your Appointments (MYA) staff application in the National Booking Service (NBS)

This privacy policy relates to the Manage Your Appointments (MYA) staff application in the National Booking Service (NBS).

The Manage Your Appointment (MYA) application allows you to:

  • Add users and assign roles
  • Create appointment availability
  • Manage appointment availability
  • Cancel booked appointments.

The application is provided by NHS England, free of charge to organisations commissioned by the National Health Service and holding a valid ODS code. We securely collect, analyse, and share information to improve health and social care services. Find out more.

3. Our role

NHS England develops and provides the product Manage Your Appointments (MYA) staff application in the National Booking Service (NBS) and is the ‘controller’ of the system.

For the data processed in the product, we are acting as a ‘data processor’ in providing the product Manage Your Appointments (MYA) staff application in the National Booking Service (NBS). This means that MYA enables the NBS to use your personal data according to the instructions given to us by the data controller.

4. The type of personal data we use

To access the Manage Your Appointments (MYA) staff application in the National Booking Service (NBS) we store:

  • Email Address.
  • User Account Role

To provide an audit trail within the Application, we store:

  • Email Address
  • Time Stamp
  • Type of Action, e.g. deletion

5. How we use your data and why

We create a user account using your NHS Mail and/or OKTA to allow vaccination site personnel to use the Application. We store your NHS email address and role permissions. These are used to check credentials for vaccination site personnel to allow them to perform the tasks described in section 2.

We create a link between a login account and a vaccination site(s). This is to ensure that vaccination site personnel only gain access to data for the site(s) they work at.

We store a record of each transaction completed by vaccination site personnel. We store who, what and when these transactions take place to provide an audit trail.

6. Our legal basis

Data protection law requires NHS England to have a legal basis before we can use your personal data. The Manage Your Appointments (MYA) staff application is a National Booking Service (NBS) component.

Please refer to the legal basis of the National Booking Service (NBS) in processing your data.

7. Who we share data with

Information regarding each vaccination site team member is shared with other system users who are required by their role to manage access, such as Site Managers.

The data will be processed and stored in the United Kingdom by NHS who supply the booking engine for vaccinations.

Data from this application may be shared with organisations for planning, commissioning and research purposes where there is a benefit to health and social care as part of the National Booking Service (NBS). Organisations will need to apply and gain approval through our Data Access Request Service.

Each application is assessed very carefully to make sure that the organisation:

  • has a legal basis to access the data for that purpose
  • will use the data for the benefit of health and care and for the agreed purposes only
  • will handle and store the data securely

Data from MYA which can identify you (identifiable data) will only be shared if this is absolutely necessary and the organisation who has made an application for data cannot achieve their purpose without it. Where possible we remove information from the data which identifies you, or we replace it with a unique reference number (this is known as pseudonymisation).

Each organisation we share data with must sign a Data Sharing Framework Contract and a Data Sharing Agreement and we carry out audits to check they are using the data as agreed.

8. Processors

The Manage Your Appointments (MYA) staff application is enabling data processing in the National Booking Service (NBS). MYA, as part of the NBS, is acting as a processor of the data. NBS may share some data if instructed to do so or if a legal basis can be provided. We can only use, store and keep the data in accordance with our instructions and cannot use the data for any other purposes.

9. How long we keep data for

We keep your data in accordance with the Records Management Code of Practice 2021.

11. Where we store data

We securely store your data on our servers in the United Kingdom (UK).

The data will be processed and stored in the United Kingdom by NHS England. All NHS England data held within the Application is within the UK jurisdiction as it is hosted in the Microsoft Azure cloud within the UK.

12. Your data protection rights

Under data protection law, you have the following rights over your data for this application.

Summary of your rights over your personal information processed by the Service:

  • The right to be informed. This privacy statement describes what personal data we collect for the Application and how it is used.
  • The right to access the personal information. You can contact the NHS customer service centre to request access to your personal information. They can be contacted on 0300 303 5678 or email (enquiries@nhsdigital.nhs.uk). Our customer service centre is open 9am to 5pm, Monday to Friday except on public holidays.
  • The right to request the correction of inaccurate personal information. Contact the customer service centre for corrections to your personal information.
  • The right to request the erasure of your personal information in certain limited circumstances (“right to be forgotten”). Your ‘staff’ record will be deleted as per section 7. You can contact the customer service centre to request deletion of your personal information.
  • The right to restrict processing of your personal information where certain requirements are met. Requests to restrict processing need to be made to the customer service centre.
  • The right to object to the processing of your personal information in certain circumstances. Please contact the customer service centre to object to your personal data being collected and processed. The request will be analysed by the Service and responded to as required by law.
  • The right to request that elements of your data are transferred either to you or another service provider in certain circumstances. This does not apply to this Application.
  • The right to object to certain automated decision-making processes using your personal information. This does not apply to this Application.
  • The right to withdraw consent. This does not apply to this Application because the lawful basis for processing is not based on consent.
  • The right to complain. You can make a complaint to the NHS Digital service centre. The request will be analysed by the Service responded to as required by law. You have the right to complain to NHS Digital and to the Information Commissioners Office (ICO) using the contact information provided below.

To make a rights request, email us at england.contactus@nhs.net

13. Your right to complain

We take our responsibility to look after your data very seriously. If you have any questions or concerns about how NHS England uses your data, please contact our Data Protection Officer at: england.dpo@nhs.net

If you are not happy with our response, you have the right to make a complaint about how we are using your data to the Information Commissioner’s Office by calling 0303 123 1113 or through their website: https://ico.org.uk/make-a-complaint/

14. Contact us

If you have any queries in relation to the use of your personal information in connection with the Application, or if you want to exercise any of your rights above, please contact enquiries@nhsdigital.nhs.uk.

15. Contact the Information Commissioner

If we are unable to resolve any queries or concerns in relation to the use of your personal information in connection with the Service, you can raise your concern with the Information Commissioner. You can contact the Information Commissioner’s Office:

15.1 Changes to this notice

We may make changes to this notice. If we do, the 'last edited' date on this page will also change. Any changes to this notice will apply immediately from the date of any change.

Page last reviewed: 21 February 2025
Next review due: 11 March 2026