How the NHS handles your personal health information

This ​page tells you about what NHS Scotland may do with your personal data.

About NHS Scotland

What kind of personal information is NHS Scotland using?

Why we use personal information

NHS Scotland's legal basis for using your personal health information

Who provides your personal information to the NHS?

Sharing personal information with others

Transferring personal information abroad

Retention periods for the information we hold

How we protect personal health information

Your rights

Other languages and formats

Your local data protection officer

Your local Caldicott Guardian

About NHS Scotland

Founded in 1948, NHS Scotland is made up of various organisations such as:

  • NHS Boards
  • GP practices
  • The Scottish Ambulance Service

These organisations are individually responsible for your personal health information. In terms of data protection and privacy laws, they are known as 'data controllers'.

NHS Scotland also works with a range of subcontractors who are required to provide a variety of health and social care services and support. They include:

  • voluntary organisations
  • charities
  • private contractors

Sometimes these organisations need access to some of your personal information to carry out activities on behalf of the NHS. These organisations are called 'data processors'.

Find out more more about NHS Scotland.

What kind of personal information is NHS Scotland using?

We use personal information on different groups of individuals including:

  • callers
  • patients and some details of their families and carers as needed
  • staff
  • volunteers
  • students on placement
  • contractors
  • suppliers
  • complainants and enquirers
  • survey respondents
  • professional experts and consultants
  • individuals captured by CCTV

We use information that can identify individuals such as:

  • name
  • address
  • date of birth
  • postcode
  • CHI number (for registered patients)
  • NHS employee number (for staff)

We also use more sensitive types of personal information including:

  • racial or ethnic origin
  • political opinion
  • religious or philosophical beliefs
  • trade union membership
  • genetic and biometric data
  • health
  • sex life
  • sexual orientation

The information we use can relate to:

  • personal and family details
  • education
  • training and employment details
  • financial details
  • lifestyle and social circumstances
  • goods and services
  • audio recordings
  • visual images
  • physical appearance and behaviour
  • patient records
  • responses to surveys

We will only collect this type of information when it is needed. NHS Scotland will make every effort to ensure the data is processed in a fair and lawful manner.

Why we use personal information

Under the NHS Scotland Act, NHS Scotland organisations have a legal responsibility to directly or indirectly provide a range of services, including:

  • healthcare
  • health improvement
  • health protection

These services form a National Health Service which is responsible for improving the physical and mental health of people in Scotland.

NHS Scotland also needs some personal information for the management and planning of health and social care services and for public health reasons, such as:

  • protecting against serious threats to health
  • ensuring high standards of quality
  • the safety of medicines and equipment

We may also use personal information to enable us to comply with legal requirements, such as:

  • dealing with fraud and crime
  • research and statistical purposes
  • supporting, training and managing our employees
  • maintaining NHS financial accounts

NHS Scotland’s legal basis for using your personal information

All NHS Scotland data controllers are required to have a legal basis when using personal information. The main legal basis for which NHS Scotland uses personal information is to provide health and social care.

In some situations we may rely on a different legal basis for example, when we are using personal information to pay a supplier, our legal basis is that it is needed for a contract. Another example would be to comply with a legal obligation the NHS has, for example notifying Health Protection Scotland when someone contracts a specific disease.

When we are using more sensitive types of personal information, including health information, our legal basis is usually that the information is necessary:

  • for the provision or management of health and social care services (this includes when we are treating you ourselves, or if we are referring you to other services for help)
  • for reasons of public interest in the area of public health
  • for reasons of substantial public interest for aims that are proportionate and respect people’s rights, for example research
  • in order to protect the vital interests of an individual
  • for the establishment, exercise or defence of legal claims or in the case of a court order
  • to carry out our obligations and exercise our rights in respect of employment, social security and social protection
  • for archiving purposes, historical or scientific research or statistical purposes that are proportionate and respect people’s rights

Only in certain circumstances will NHS Scotland, its partners or subcontractors want to use your personal information for other reasons. If this happens we will:

  • ask you for your explicit consent
  • explain what it means to you
  • tell you about your rights (including how to exercise your right to withdraw consent)

As a large employer, we sometimes process staff health data for the purpose of:

  • preventative medicine
  • occupational medicine
  • the assessment of the working capacity of the employee

Who provides your personal information to the NHS?

As well as receiving information directly from you we may also receive it from someone making a call on your behalf such as:

  • family members
  • individuals and organisations involved in providing health and social care services in Scotland
  • other NHS Boards and primary care contractors such as GPs
  • other public bodies such as local authorities and suppliers of goods and services

Healthcare professionals providing services for the NHS can view information that comes from different parts of the NHS, such as your Emergency Care Summary (ECS) and your Key Information Summary (KIS), which are copied from your GP's records.

Equally, GPs have access to health information about you from other areas of the NHS such as hospitals or laboratories. GPs need this information to provide you with effective healthcare.

Pharmacies may have also access to some of your health information, such as prescriptions and allergies.

Sharing personal information with others

Depending on the situation, and only where appropriate, we may share personal information with the following types of recipients:

  • citizens and patients registered with NHS Scotland
  • family, carers, associates and representatives of the person whose personal data we are processing
  • NHS staff
  • current, past and potential employers
  • healthcare, social and welfare organisations
  • suppliers, service providers, professional advisors and consultants
  • legal representatives
  • auditors and audit bodies
  • educators and examining bodies
  • medical researchers
  • medical education institutions (for example College of Nursing)
  • when dealing with enquiries or complaints
  • financial bodies
  • professional bodies
  • trades unions
  • business associates
  • police forces
  • security organisations
  • central and local government, government agencies and regulatory bodies
  • voluntary and charitable organisations

When sharing information, NHS Scotland only provides the minimum information required and only if there is a legal basis for that, otherwise the NHS will ask for your consent prior to sharing your data.

The law protects your confidentiality and we will not share your personal information with others unless there is a clear legal basis to do so. Any information shared will be appropriate, relevant and proportionate to the purpose of the sharing.

Transferring personal information abroad

It may sometimes be necessary to transfer personal information overseas.

When needed, information may be transferred to countries or territories around the world. Any transfers made will be in full compliance with the Data Protection regulations and with NHS Scotland Information Security Policy.

Retention periods for the information we hold

NHS Scotland keeps personal information as set out in the NHS Records Management Code of Practice (Scotland). This sets out the recommended retention periods for information, including personal information held in different types of records including medical and administrative records. As directed by the Scottish Government in the Records Management Code of Practice, organisations processing NHS information must:

  • maintain a retention schedule detailing the retention periods by default for the information we process and have procedures for mandatory archival of records (when these apply)
  • ensure the safe disposal of personal information

NHS staff and subcontractors must follow these guidelines.

How we protect personal information

We take care to ensure your personal information is only accessible to authorised people. Our staff have a legal and contractual duty to keep personal health information secure, and confidential. We do this by:

  • ensuring all staff and subcontractors undertake mandatory training in data protection and IT security
  • ensuring compliance with NHS Scotland Information Security Policy
  • following organisational policy and procedures on the safe handling of personal information
  • having access controls and audits of electronic systems
  • ensuring that organisations that process personal information held by NHS Scotland comply with Cyber Essentials® and work towards information security best practices, such us the ISO 27001 Standard

NHS Scotland is committed to continually improving the security of your data.

When planning the development of new information systems or services, NHS Scotland follow the principles of 'Privacy by Design'. This means that we will always use your personal information appropriately.

NHS Scotland groups ensure this process is followed. These groups include:

  • Public Benefit and Privacy Panel for Health & Social Care
  • CHI Advisory Group
  • Caldicott Guardians Forum
  • Information Governance Group

Your rights

This section describes your data protection rights within NHS Scotland.

The right to be informed

NHS Scotland must explain how we use your personal information. To do this we have produced:

  • this data protection notice
  • patient information leaflets

You can also speak to a member of staff involved in your care.

The right of access

You have the right to access your own personal information.

This right includes making you aware of what information we hold. It also gives you the opportunity to check that we are using your information fairly and legally.

You have the right to obtain:

  • confirmation that your personal information is being held or used by us
  • access to your personal information
  • additional information about how we use your personal information

We must provide this information free of charge, however in certain circumstances we may charge a reasonable fee or refuse to process your request such as:

  • if your request is considered unfounded or excessive
  • or if you request the same information more than once

If you would like to access your personal information, you can do this by contacting the relevant data controller (for example your local NHS Board or GP).

Once the relevant data controller has received your request and you have provided them with enough information for them to locate your personal information, they will respond to your request within one month . However if your request is complex they may take up to two months, to respond. If this is the case the data controller will explain the reason for the delay.

The right to rectification

If the personal information held by an NHS Scotland organisation (the data controller) is inaccurate or incomplete you have the right to have this corrected.

If it is agreed that your personal information is inaccurate or incomplete the data controller will aim to amend your records accordingly. The original information, along with an explanation of why information has been corrected or amended, must remain on our records as an audit trail.

The data controller will normally amend records within one month. If they need more time to do this they will let you know. They may need another two months if the request is complex. In this case they will contact you as quickly as possible to explain why.

Where possible we will restrict access to your records to ensure that inaccurate or incomplete information is not used until amended. However, if your safety is at risk, we will continue allowing access.

If for any reason the data controller has shared your information with anyone else, perhaps during a referral to another service for example, they will notify them of the changes required so that we can ensure their records are also accurate.

If on consideration of your request the data controller does not consider your personal information inaccurate they will add a note to your record stating your concerns about the information. If this happens we will let you know why.

If you are unhappy about how an NHS organisation responds to your request for rectification you can complain to the Information Commissioner’s Office, or take legal action.

The right to object

You have the right to object to your information being used. NHS Scotland will consider your request and respond within 1 calendar month.

If NHS Scotland can demonstrate compelling legitimate grounds to use your personal information (for example, when it is needed for patient safety or as evidence to support legal claims) your right will not be upheld.

Other rights

You have other rights under current Data Protection Law. However these rights only apply in certain circumstances. More information on these rights can be found on the Information Commissioner’s Office website.

The right to complain

Every Data Controller in NHS Scotland has employed or nominated a data protection officer to check that they handle personal information in a way that meets data protection law requirements. If you are unhappy with the way in which we use your personal information please contact your local data protection officer.

You also have the right to complain to the Information Commissioner’s Office (ICO) about how we use your personal information.

Other languages and formats

This information can be provided in other languages and formats on request. The NHS inform helpline provides an interpreting service.

Your local Data Protection Officer

If you have a data protection concern, you can contact your local NHS Data Protection Officer.

NHS Board

NHS Data Protection Officer contact details

NHS Ayrshire and Arran informationgovernance@aapct.scot.nhs.uk
NHS Borders DPO@borders.scot.nhs.uk
NHS Dumfries and Galloway dumf-uhb.dataprotection@nhs.net
NHS Fife Fife-UHB.DataProtection@nhs.net
NHS Forth Valley fv-uhb.informationgovernance@nhs.net
NHS Grampian nhsg.infogovernance@nhs.net
NHS Greater Glasgow and Clyde data.protection@ggc.scot.nhs.uk
NHS Highland high-uhb.dpohighland@nhs.net
NHS Lanarkshire DPE@lanarkshire.scot.nhs.uk
NHS Lothian Lothian.DPO@nhs.net
NHS Orkney orkney.dp@nhs.net
NHS Shetland shet-hb.dpo@nhs.net
NHS Tayside informationgovernance.tayside@nhs.net
NHS Western Isles wi-hb.dpo@nhs.net
NHS Education for Scotland foidp@nes.scot.nhs.uk
NHS Health Scotland nhs.healthscotland-dpo@nhs.net
Golden Jubilee Hospital ig@gjnh.scot.nhs.uk
NHS24 dp@nhs24.scot.nhs.uk
Scottish Ambulance Service Scotamb.dpo@nhs.net
The State Hospital TSH.DataProtection@NHS.net
NHS National Services Scotland nss.dataprotection@nhs.net
Healthcare Improvement Scotland hcis.informationgovernance@nhs.net

Your local Caldicott Guardian

Every NHS organisation has a Caldicott Guardian responsible for protecting patient identifiable information. The Caldicott Guardian ensures patient privacy is protected.

NHS Board

 

Caldicott Guardian

NHS Ayrshire and Arran   ​Dr Alison Graham
NHS Borders    Dr Tim Patterson
​NHS Dumfries and Galloway   Dr Ken Donaldson
NHS Fife   Dr Christopher Mckenna
NHS Forth Valley   Dr Andrew Murray
NHS Grampian   Dr Nick Fluck
NHS Greater Glasgow and Clyde   Dr Emilia Crighton
NHS Highland   Dr Hugo Van Woerden
​NHS Lanarkshire   Dr Gabe Docherty
NHS Lothian   ​Prof Alison McCallum
NHS Orkney   Dr. Louise Wilson
NHS Shetland   Dr Brian Chittick
​NHS Tayside   Prof Peter Stonebridge
NHS Western Isles   Dr Maggie Watts
NHS Education for Scotland   Prof D Stewart Irvine
NHS Health Scotland   Dr Diane Stockton
Golden Jubilee Hospital   Dr Alistair MacFie
NHS 24   Dr Laura Ryan​
​Scottish Ambulance Service   Dr James Ward​
​The State Hospital   Dr Duncan Alcock​
​NHS National Services Scotland   Dr Eleanor Anderson, Dr Lorna Ramsay, Dr Maria Rossi and Dr Nicola Steedman 
Healthcare Improvement Scotland   Dr George Fernie