Founded in 1948, NHS Scotland is made up of various organisations such as:
These organisations are individually responsible for your personal health information. In terms of data protection and privacy laws, they are known as ‘data controllers’.
NHS Scotland also works with a range of subcontractors who are required to provide a variety of health and social care services and support. They include:
Sometimes these organisations need access to some of your personal information to carry out activities on behalf of the NHS. These organisations are called ‘data processors’.
Find out more more about NHS Scotland.
We use personal information on different groups of individuals including:
We use information that can identify individuals such as:
We also use more sensitive types of personal information including:
The information we use can relate to:
We will only collect this type of information when it is needed. NHS Scotland will make every effort to ensure the data is processed in a fair and lawful manner.
Under the NHS Scotland Act, NHS Scotland organisations have a legal responsibility to directly or indirectly provide a range of services, including:
These services form a National Health Service which is responsible for improving the physical and mental health of people in Scotland.
NHS Scotland also needs some personal information for the management and planning of health and social care services and for public health reasons, such as:
We may also use personal information to enable us to comply with legal requirements, such as:
All NHS Scotland data controllers are required to have a legal basis when using personal information. The main legal basis for which NHS Scotland uses personal information is to undertake a task in the public interest. This task is to provide health and social care.
In some situations we may rely on a different legal basis for example, when we are using personal information to pay a supplier, our legal basis is that it is needed for a contract. Another example would be to comply with a legal obligation the NHS has, for example notifying Health Protection Scotland when someone contracts a specific disease.
When we are using more sensitive types of personal information, including health information, our legal basis is usually that the information is necessary:
Only in certain circumstances will NHS Scotland, its partners or subcontractors want to use your personal information for other reasons. If this happens we will:
As a large employer, we sometimes process staff health data for the purpose of:
As well as receiving information directly from you we may also receive it from someone making a call on your behalf such as:
Healthcare professionals providing services for the NHS can view information that comes from different parts of the NHS, such as your Emergency Care Summary (ECS) and your Key Information Summary (KIS), which are copied from your GP’s records.
Equally, GPs have access to health information about you from other areas of the NHS such as hospitals or laboratories. GPs need this information to provide you with effective healthcare.
Pharmacies may have also access to some of your health information, such as prescriptions and allergies.
Depending on the situation, and only where appropriate, we may share personal information with the following types of recipients:
When sharing information, NHS Scotland only provides the minimum information required and only if there is a legal basis for that, otherwise the NHS will ask for your consent prior to sharing your data.
The law protects your confidentiality and we will not share your personal information with others unless there is a clear legal basis to do so. Any information shared will be appropriate, relevant and proportionate to the purpose of the sharing.
It may sometimes be necessary to transfer personal information overseas.
When needed, information may be transferred to countries or territories around the world. Any transfers made will be in full compliance with the Data Protection regulations and with NHS Scotland Information Security Policy.
NHS Scotland keeps personal information as set out in the Scottish Government Records Management Health and Social Care Code of Practice. This sets out the recommended retention periods for information, including personal information held in different types of records including medical and administrative records. As directed by the Scottish Government in the Code of Practice, organisations processing NHS information must:
NHS staff and staff working within organisations processing NHS information must follow these guidelines.
We take care to ensure your personal information is only accessible to authorised people. Our staff have a legal and contractual duty to keep personal health information secure, and confidential. We do this by:
NHS Scotland is committed to continually improving the security of your data.
When planning the development of new information systems or services, NHS Scotland follow the principles of ‘Privacy by Design’. This means that we will always use your personal information appropriately.
NHS Scotland groups ensure this process is followed. These groups include:
This section describes your data protection rights within NHS Scotland.
NHS Scotland must explain how we use your personal information. To do this we have produced:
You can also speak to a member of staff involved in your care.
You have the right to access your own personal information.
This right includes making you aware of what information we hold. It also gives you the opportunity to check that we are using your information fairly and legally.
You have the right to obtain:
We must provide this information free of charge, however in certain circumstances we may charge a reasonable fee or refuse to process your request such as:
If you would like to access your personal information, you can do this by contacting the relevant data controller (for example your local NHS Board or GP).
Once the relevant data controller has received your request and you have provided them with enough information for them to locate your personal information, they will respond to your request within one month . However if your request is complex they may take up to two months, to respond. If this is the case the data controller will explain the reason for the delay.
If the personal information held by an NHS Scotland organisation (the data controller) is inaccurate or incomplete you have the right to have this corrected.
If it is agreed that your personal information is inaccurate or incomplete the data controller will aim to amend your records accordingly. The original information, along with an explanation of why information has been corrected or amended, must remain on our records as an audit trail.
The data controller will normally amend records within one month. If they need more time to do this they will let you know. They may need another two months if the request is complex. In this case they will contact you as quickly as possible to explain why.
Where possible we will restrict access to your records to ensure that inaccurate or incomplete information is not used until amended. However, if your safety is at risk, we will continue allowing access.
If for any reason the data controller has shared your information with anyone else, perhaps during a referral to another service for example, they will notify them of the changes required so that we can ensure their records are also accurate.
If on consideration of your request the data controller does not consider your personal information inaccurate they will add a note to your record stating your concerns about the information. If this happens we will let you know why.
If you are unhappy about how an NHS organisation responds to your request for rectification you can complain to the Information Commissioner’s Office, or take legal action.
You have the right to object to your information being used. NHS Scotland will consider your request and respond within 1 calendar month.
If NHS Scotland can demonstrate compelling legitimate grounds to use your personal information (for example, when it is needed for patient safety or as evidence to support legal claims) your right will not be upheld.
You have other rights under current Data Protection Law. However these rights only apply in certain circumstances. More information on these rights can be found on the Information Commissioner’s Office website.
Every Data Controller in NHS Scotland has employed or nominated a data protection officer to check that they handle personal information in a way that meets data protection law requirements. If you are unhappy with the way in which we use your personal information please contact your local data protection officer.
You also have the right to complain to the Information Commissioner’s Office (ICO) about how we use your personal information.
This information can be provided in other languages and formats on request. The NHS inform helpline provides an interpreting service.
If you have a data protection concern, please contact your local NHS Data Protection Officer first.
Every NHS organisation has a Caldicott Guardian responsible for protecting patient identifiable information. The Caldicott Guardian ensures patient privacy is protected.
NHS Board | Caldicott Guardian |
NHS Ayrshire and Arran | Dr Crawford McGuffie |
NHS Borders | Dr Sohail Bhatti |
NHS Dumfries and Galloway | Dr Ken Donaldson |
NHS Fife | Dr Chris Mckenna |
NHS Forth Valley | Dr Andrew Murray |
NHS Grampian | Professor Nick Fluck |
NHS Greater Glasgow and Clyde | Dr Emilia Crighton |
NHS Highland | Dr Tim Allison |
NHS Lanarkshire | Professor Josephine Pravinkumar |
NHS Lothian | Tracey Gilles |
NHS Orkney | Dr Louise Wilson |
NHS Shetland | Dr Kirsty Brightwell |
NHS Tayside | Dr Pamela Johnston |
NHS Western Isles | Dr Maggie Watts |
NHS Education for Scotland | Dr David H Felix |
Public Health Scotland | Dr Nick Phin |
Golden Jubilee Hospital | Dr Mark MacGregor |
NHS 24 | Dr Laura Ryan |
Scottish Ambulance Service | Dr James Ward |
The State Hospital | Dr Duncan Alcock |
NHS National Services Scotland | Dr Lorna Ramsay and Dr Brendan O’Brien (Deputy) |
Healthcare Improvement Scotland | Dr George Fernie |
Scottish Ministers are responsible for the NHS in Scotland. The Chief Executive of the NHS Scotland is the Director General of Health and Social Care within the Scottish Government.
You can contact the National Information Governance Team for Health and Care by email DHCIG@gov.scot.
If you have concerns about the Scottish Government’s compliance with data protection laws please contact DataProtectionOfficer@gov.scot.
Last updated:
17 November 2023