A survey conducted in April and May 2023 revealed that around ** percent of the companies that do business in the European Union (EU) and the United Kingdom (UK) found it challenging to adapt to new or changing requirements of the General Data Protection Regulation (GDPR) or Data Protection Act 2018 (DPA). A further ** percent of the survey respondents said it was challenging to increase the budget because of the changes in the data privacy laws.

SAR Database contains details of staff & ex-staff Data Protection Act (DPA) SARs received by BIS (including predecessor departments BERR and DTI, and relevant Executive Agencies), and DECC.

This is because it would breach the first data protection principle as: a) it is not fair to disclose claimant personal details to the world and is likely to cause damage or distress. b) these details are not of sufficient interest to the public to warrant an intrusion into the privacy of the claimant. Please click the below web link to see the exemption in full. https://www.legislation.gov.uk/ukpga/2000/36/section/40 Breach of Patient confidentiality Please note that the identification of claimants is also a breach of the common law duty of confidence. A claimant who has been identified could make a claim against the NHSBSA or yourself for the disclosure of the confidential information. The information requested is therefore being withheld as it falls under the exemption in section 41(1) ‘Information provided in confidence’ of the Freedom of Information Act. Please click the below web link to see the exemption in full.

A Data Protection Impact Assessment (DPIA) is one of the ways to find out what privacy risks people face when information is collected, used, stored, or shared about them. This helps the London Borough of Barnet find issues so that risks can be taken away or lowered to a level that is acceptable. It also cuts down on privacy breaches and complaints that could hurt the Council's reputation or lead to action by the Information Commissioner (the government watchdog). The London Borough of Barnet makes DPIAs public in with its Data Charter and the 2018 Data Protection Act and UK GDPR.

As of February 2025, the largest fine issued for violation of the General Data Protection Regulation (GDPR) in the United Kingdom (UK) was more than 22 million euros, received by British Airways in October 2020. Another fine received by Marriott International Inc. in the same month was the second-highest in the UK and amounted to over 20 million euros.

The total number of VDPS claims relating to COVID-19 vaccines as of 25 March 2022 is 1,210. Monthly figure breakdown can be found in the attached data. However, please be aware that I have decided not to release the number of claims where the monthly total number of claims falls below 5. This is because the patients could be identified, when combined with other information that may be in the public domain or reasonably available. Where this applies, we’ve merged figures for multiple months to ensure we don’t provide the exact monthly number. This information falls under the exemption in section 40 subsections 2 and 3A (a) of the Freedom of Information Act. This is because it would breach the first data protection principle as: a) it is not fair to disclose patients’ personal details to the world and is likely to cause damage or distress. b) these details are not of sufficient interest to the public to warrant an intrusion into the privacy of the patients. Please click the below web link to see the exemption in full. https://www.legislation.gov.uk/ukpga/2000/36/section/40 Breach of Patient confidentiality Please note that the identification of patients is also a breach of the common law duty of confidence. A patient who has been identified could make a claim against the NHSBSA or yourself for the disclosure of the confidential information. The information requested is therefore being withheld as it falls under the exemption in section 41(1) ‘Information provided in confidence’ of the Freedom of Information Act. Please click the below web link to see the exemption in full. https://www.legislation.gov.uk/ukpga/2000/36/section/41 Questions 2 & 3 The COVID-19 vaccines are very new and the global effort to establish any potential causal relationship between the vaccines and their potential adverse effects is not straightforward and has taken time. Claims relating to Covid-19 vaccines have not yet been medically assessed, therefore there have been no payments made to date. Question 4 There have been fewer than 5 claims rejected due to those claims falling outside the eligibility criteria. Therefore this information is being withheld under the same exemption outlined in the response to question 1 above. Data Queries

DP (Data Protection Act) / SAR (Subject Access Request) - Total Received

A Data Protection Impact Assessment (DPIA) is one of the ways to find out what privacy risks people face when information is collected, used, stored, or shared about them. This helps the London Borough of Barnet find issues so that risks can be taken away or lowered to a level that is acceptable. It also cuts down on privacy breaches and complaints that could hurt the Council's reputation or lead to action by the Information Commissioner (the government watchdog). The London Borough of Barnet makes DPIAs public in with its Data Charter and the 2018 Data Protection Act and UK GDPR.

Whilst this some of the requested information is held by the NHSBSA, we have exempted some of the figures under section 40(2) subsections 2 and 3(a) of the FOIA because it is personal data of applicants to the VDPS. This is because it would breach the first data protection principle as: a - it is not fair to disclose individual’s personal details to the world and is likely to cause damage or distress. b - these details are not of sufficient interest to the public to warrant an intrusion into the privacy of the individual. https://www.legislation.gov.uk/ukpga/2000/36/section/40 Information Commissioner Office (ICO) Guidance is that information is personal data if it ‘relates to’ an ‘identifiable individual’ regulated by the UK General Data Protection Regulation (UK GDPR) or the Data Protection Act 2018. The information relates to personal data of the VDPS claimants and is special category data in the form of health information. As a result, the claimants could be identified, when combined with other information that may be in the public domain or reasonably available. Online communities exist for those adversely affected by vaccines they have received. This further increases the likelihood that those may be identified by disclosure of this information. Section 40(2) is an absolute, prejudice-based exemption and therefore is exempt if disclosure would contravene any of the data protection principles. To comply with the lawfulness, fairness, and transparency data protection principle, we either need the consent of the data subject(s) or there must be a legitimate interest in disclosure. In addition, the disclosure must be necessary to meet the legitimate interest and finally, the disclosure must not cause unwarranted harm. The NHSBSA has considered this and does not have the consent of the data subjects to release this information and believes that it would not be possible to obtain consent that meets the threshold in Article 7 of the UK GDPR. The NHSBSA acknowledges that you have a legitimate interest in disclosure of the information to provide the full picture of data held by the NHSBSA; however, we have concluded that disclosure of the requested information would cause unwarranted harm and therefore, section 40(2) is engaged. This is because there is a reasonable expectation that patient data processed by the NHSBSA remains confidential, especially special category data. There are no reasonable alternative measures that could meet the legitimate aim. As the information is highly confidential and sensitive, it outweighs the legitimate interest in the information. Section 41 FOIA This information is also exempt under section 41 of the FOIA (information provided in confidence). This is because the requested information was provided to the NHSBSA in confidence by a third party - another individual, company, public authority or any other type of legal entity. In this instance, details have been provided by the claimants. For Section 41 to be engaged, the following criteria must be fulfilled:

This is because it would breach the first data protection principle as: a) it is not fair to disclose applicants personal details to the world and is likely to cause damage or distress. b) these details are not of sufficient interest to the public to warrant an intrusion into the privacy of the applicants. Please click the below web link to see the exemption in full. https://www.legislation.gov.uk/ukpga/2000/36/section/40 Breach of Applicant Confidentiality Please note that the identification of applicants is also a breach of the common law duty of confidence. An applicant who has been identified could make a claim against the NHSBSA or yourself for the disclosure of the confidential information. The information requested is therefore being withheld as it falls under the exemption in section 41(1) ‘Information provided in confidence’ of the Freedom of Information Act. Please click the below web link to see the exemption in full. https://www.legislation.gov.uk/ukpga/2000/36/section/41 Note - Ages have been grouped to allow for a lower amount of suppression of the data. ‘Age 11 and under’ has been added to the dataset to complete the analysis. Please note that this request and our response is published on our Freedom of Information disclosure log at: https://opendata.nhsbsa.net/dataset/foi-23325 If you have any queries regarding the data provided, or if you plan on publishing the data, please contact nhsbsa.foirequests@nhsbsa.nhs.uk ensuring you quote the above reference. This is important to ensure that the figures are not misunderstood or misrepresented. If you plan on producing a press or broadcast story based upon the data, please contact nhsbsa.communicationsteam@nhs.net. This is important to ensure that the figures are not misunderstood or misrepresented.

DP (Data Protection Act) / SAR (Subject Access Request) - Out of time

a - it is not fair to disclose claimant personal details to the world and is likely to cause damage or distress. b - these details are not of sufficient interest to the public to warrant an intrusion into the privacy of the claimant. Please click the below web link to see the exemption in full. www.legislation.gov.uk/ukpga/2000/36/section/40 Breach of Patient confidentiality Please note that the identification of claimants is also a breach of the common law duty of confidence. A claimant who has been identified could make a claim against the NHSBSA for the disclosure of the confidential information. The information requested is therefore being withheld as it falls under the exemption in section 41(1) ‘Information provided in confidence’ of the Freedom of Information Act. Please click the below web link to see the exemption in full.

Please break this down further into which disease the vaccination was against. For example: COVID-19 vaccine - x applied - y successful Mumps vaccine - x applied - y successful Response The figures provided below cover the period December 2020 to 18 January 2022. Question 1 We have received the following claims: 721 Coronavirus (COVID-19)Claims 29 Influenza 47 Measles, mumps and rubella (MMR) 16 Diphtheria, tetanus, pertussis and polio (DTaP/IPV) 9 Human papillomavirus (HPV) 12 Other We are able to advise that the “Other” claims were for the following vaccines: Meningococcal Group C (Men C, Men ACWY) Pandemic influenza A (H1N1) 2009 (swine flu) H1N1 Tuberculosis (TB) Poliomyelitis 834 claims in total Fewer than 5 Claims Please be aware that I have decided not to release the exact number of claims for each vaccine where the number is fewer than 5. This is because the claimants could be identified, when combined with other information that may be in the public domain or reasonably available. These are summarised above under the “Other” category. This information falls under the exemption in section 40 subsections 2 and 3A (a) of the Freedom of Information Act. This is because it would breach the first data protection principle as: a) it is not fair to disclose claimant personal details to the world and is likely to cause damage or distress. b) these details are not of sufficient interest to the public to warrant an intrusion into the privacy of the claimant. Please click the below web link to see the exemption in full. https://www.legislation.gov.uk/ukpga/2000/36/section/40 Breach of Patient confidentiality Please note that the identification of claimants is also a breach of the common law duty of confidence. A claimant who has been identified could make a claim against the NHSBSA or yourself for the disclosure of the confidential information. The information requested is therefore being withheld as it falls under the exemption in section 41(1) ‘Information provided in confidence’ of the Freedom of Information Act. Please click the below web link to see the exemption in full.

Response I can confirm that the NHSBSA holds the information you have requested and a copy of the information is attached. Fewer than 5 Please be aware that I have decided not to release details where the total number of beneficiaries falls below 5. This is because the beneficiaries could be identified, when combined with other information that may be in the public domain or reasonably available. This information falls under the exemption in section 40 subsections 2 and 3A (a) of the Freedom of Information Act. This is because it would breach the first data protection principle as: a) it is not fair to disclose beneficiary personal details to the world and is likely to cause damage or distress. b) these details are not of sufficient interest to the public to warrant an intrusion into the privacy of the patients. Please click the below web link to see the exemption in full. https://www.legislation.gov.uk/ukpga/2000/36/section/40 Breach of Patient confidentiality Please note that the identification of claimants is also a breach of the common law duty of confidence. A claimant who has been identified could make a claim against the NHSBSA for the disclosure of the confidential information. The information requested is therefore being withheld as it falls under the exemption in section 41(1) ‘Information provided in confidence’ of the Freedom of Information Act. Please click the below web link to see the exemption in full. https://www.legislation.gov.uk/ukpga/2000/36/section/41 Publishing this response Please note that this information will be published on our Freedom of Information disclosure log at: https://opendata.nhsbsa.net/dataset/foi-02309 Your personal details will be removed from the published response. Data Queries Please contact foirequests@nhsbsa.nhs.uk ensuring you quote the above reference if you have any specific questions regarding this response; or, if you feel you may be misunderstanding or misinterpreting the information; or, if you plan on publishing the data. Reusing the data and copyright

Fewer than five Please be aware that I have decided not to release the full details where the total number of individuals falls below five. This is because the information is exempt under section 40(2) of the FOIA (personal information). This is because it would breach the first data protection principle as: a) it is not fair to disclose individual’s personal details to the world and is likely to cause damage or distress b) these details are not of sufficient interest to the public to warrant an intrusion into the privacy of the individual Please see the following link to view the section 40 exemption in full -https://www.legislation.gov.uk/ukpga/2000/36/section/40 Breach of Confidentiality

DP (Data Protection Act) / SAR (Subject Access Request) - % In time - (YTD). The Freedom of Information Act 2000 (FOI) was intended to promote a culture of openness and accountability by giving people the right to access information held by public authorities; to improve public understanding of duties, why decisions are made and how public money is spent. A Subject Access Request (SAR) is a written request that entitles individuals to find out what personal data is held about them by an organisation, why the organisation is holding it and who their information is disclosed to by that organisation.

BackgroundThe COVID-19 pandemic brought global disruption to health, society and economy, including to the conduct of clinical research. In the European Union (EU), the legal and ethical framework for research is complex and divergent. Many challenges exist in relation to the interplay of the various applicable rules, particularly with respect to compliance with the General Data Protection Regulation (GDPR). This study aimed to gain insights into the experience of key clinical research stakeholders [investigators, ethics committees (ECs), and data protection officers (DPOs)/legal experts working with clinical research sponsors] across the EU and the UK on the main challenges related to data protection in clinical research before and during the pandemic.Materials and methodsThe study consisted of an online survey and follow-up semi-structured interviews. Data collection occurred between April and December 2021. Survey data was analyzed descriptively, and the interviews underwent a framework analysis.Results and conclusionIn total, 191 respondents filled in the survey, of whom fourteen participated in the follow-up interviews. Out of the targeted 28 countries (EU and UK), 25 were represented in the survey. The majority of stakeholders were based in Western Europe. This study empirically elucidated numerous key legal and ethical issues related to GDPR compliance in the context of (cross-border) clinical research. It showed that the lack of legal harmonization remains the biggest challenge in the field, and that it is present not only at the level of the interplay of key EU legislative acts and national implementation of the GDPR, but also when it comes to interpretation at local, regional and institutional levels. Moreover, the role of ECs in data protection was further explored and possible ways forward for its normative delineation were discussed. According to the participants, the pandemic did not bring additional legal challenges. Although practical challenges (for instance, mainly related to the provision of information to patients) were high due to the globally enacted crisis measures, the key problematic issues on (cross-border) health research, interpretations of the legal texts and compliance strategies remained largely the same.

Een Data Protection Impact Assessment (DPIA) is een van de manieren om erachter te komen welke privacyrisico’s mensen lopen wanneer informatie over hen wordt verzameld, gebruikt, opgeslagen of gedeeld. Dit helpt de Londense gemeente Barnet problemen te vinden zodat risico’s kunnen worden weggenomen of verlaagd tot een aanvaardbaar niveau. Het bezuinigt ook op inbreuken op de privacy en klachten die de reputatie van de Raad kunnen schaden of leiden tot actie van de Information Commissioner (de waakhond van de regering). De London Borough of Barnet maakt DPIA’s openbaar in zijn Data Charter en de Data Protection Act 2018 en UK GDPR. Een Data Protection Impact Assessment (DPIA) is een van de manieren om erachter te komen welke privacyrisico’s mensen lopen wanneer informatie over hen wordt verzameld, gebruikt, opgeslagen of gedeeld. Dit helpt de Londense gemeente Barnet problemen te vinden zodat risico’s kunnen worden weggenomen of verlaagd tot een aanvaardbaar niveau. Het bezuinigt ook op inbreuken op de privacy en klachten die de reputatie van de Raad kunnen schaden of leiden tot actie van de Information Commissioner (de waakhond van de regering).

De London Borough of Barnet maakt DPIA’s openbaar in zijn Data Charter en de Data Protection Act 2018 en UK GDPR.