How the NHS handles your personal health information
About NHS Scotland
Founded in 1948, NHS Scotland is made up of various organisations such as:
- NHS Boards
- GP practices
- The Scottish Ambulance Service
These organisations are individually responsible for your personal health information. In terms of data protection and privacy laws, they are known as 'data controllers'.
NHS Scotland also works with a range of subcontractors who are required to provide a variety of health and social care services and support. They include:
- voluntary organisations
- private contractors
Sometimes these organisations need access to some of your personal information to carry out activities on behalf of the NHS. These organisations are called 'data processors'.
Find out more more about NHS Scotland.
What kind of personal information is NHS Scotland using?
We use personal information on different groups of individuals including:
- patients and some details of their families and carers as needed
- students on placement
- complainants and enquirers
- survey respondents
- professional experts and consultants
- individuals captured by CCTV
We use information that can identify individuals such as:
- date of birth
- CHI number (for registered patients)
- NHS employee number (for staff)
We also use more sensitive types of personal information including:
- racial or ethnic origin
- political opinion
- religious or philosophical beliefs
- trade union membership
- genetic and biometric data
- sex life
- sexual orientation
The information we use can relate to:
- personal and family details
- training and employment details
- financial details
- lifestyle and social circumstances
- goods and services
- audio recordings
- visual images
- physical appearance and behaviour
- patient records
- responses to surveys
We will only collect this type of information when it is needed. NHS Scotland will make every effort to ensure the data is processed in a fair and lawful manner.
Why we use personal information
Under the NHS Scotland Act, NHS Scotland organisations have a legal responsibility to directly or indirectly provide a range of services, including:
- health improvement
- health protection
These services form a National Health Service which is responsible for improving the physical and mental health of people in Scotland.
NHS Scotland also needs some personal information for the management and planning of health and social care services and for public health reasons, such as:
- protecting against serious threats to health
- ensuring high standards of quality
- the safety of medicines and equipment
We may also use personal information to enable us to comply with legal requirements, such as:
- dealing with fraud and crime
- research and statistical purposes
- supporting, training and managing our employees
- maintaining NHS financial accounts
NHS Scotland’s legal basis for using your personal information
All NHS Scotland data controllers are required to have a legal basis when using personal information. The main legal basis for which NHS Scotland uses personal information is to undertake a task in the public interest. This task is to provide health and social care.
In some situations we may rely on a different legal basis for example, when we are using personal information to pay a supplier, our legal basis is that it is needed for a contract. Another example would be to comply with a legal obligation the NHS has, for example notifying Health Protection Scotland when someone contracts a specific disease.
When we are using more sensitive types of personal information, including health information, our legal basis is usually that the information is necessary:
- for the provision or management of health and social care services (this includes when we are treating you ourselves, or if we are referring you to other services for help)
- for reasons of public interest in the area of public health
- for reasons of substantial public interest for aims that are proportionate and respect people’s rights, for example research
- in order to protect the vital interests of an individual
- for the establishment, exercise or defence of legal claims or in the case of a court order
- to carry out our obligations and exercise our rights in respect of employment, social security and social protection
- for archiving purposes, historical or scientific research or statistical purposes that are proportionate and respect people’s rights
Only in certain circumstances will NHS Scotland, its partners or subcontractors want to use your personal information for other reasons. If this happens we will:
- ask you for your explicit consent
- explain what it means to you
- tell you about your rights (including how to exercise your right to withdraw consent)
As a large employer, we sometimes process staff health data for the purpose of:
- preventative medicine
- occupational medicine
- the assessment of the working capacity of the employee
Who provides your personal information to the NHS?
As well as receiving information directly from you we may also receive it from someone making a call on your behalf such as:
- family members
- individuals and organisations involved in providing health and social care services in Scotland
- other NHS Boards and primary care contractors such as GPs
- other public bodies such as local authorities and suppliers of goods and services
Healthcare professionals providing services for the NHS can view information that comes from different parts of the NHS, such as your Emergency Care Summary (ECS) and your Key Information Summary (KIS), which are copied from your GP's records.
Equally, GPs have access to health information about you from other areas of the NHS such as hospitals or laboratories. GPs need this information to provide you with effective healthcare.
Pharmacies may have also access to some of your health information, such as prescriptions and allergies.
Sharing personal information with others
Depending on the situation, and only where appropriate, we may share personal information with the following types of recipients:
- citizens and patients registered with NHS Scotland
- family, carers, associates and representatives of the person whose personal data we are processing
- NHS staff
- current, past and potential employers
- healthcare, social and welfare organisations
- suppliers, service providers, professional advisors and consultants
- legal representatives
- auditors and audit bodies
- educators and examining bodies
- medical researchers
- medical education institutions (for example College of Nursing)
- when dealing with enquiries or complaints
- financial bodies
- professional bodies
- trades unions
- business associates
- police forces
- security organisations
- central and local government, government agencies and regulatory bodies
- voluntary and charitable organisations
When sharing information, NHS Scotland only provides the minimum information required and only if there is a legal basis for that, otherwise the NHS will ask for your consent prior to sharing your data.
The law protects your confidentiality and we will not share your personal information with others unless there is a clear legal basis to do so. Any information shared will be appropriate, relevant and proportionate to the purpose of the sharing.
Transferring personal information abroad
It may sometimes be necessary to transfer personal information overseas.
When needed, information may be transferred to countries or territories around the world. Any transfers made will be in full compliance with the Data Protection regulations and with NHS Scotland Information Security Policy.
Retention periods for the information we hold
NHS Scotland keeps personal information as set out in the Scottish Government Records Management Health and Social Care Code of Practice. This sets out the recommended retention periods for information, including personal information held in different types of records including medical and administrative records. As directed by the Scottish Government in the Code of Practice, organisations processing NHS information must:
- produce a retention schedule detailing the retention periods for NHS the information processed
- ensure the safe and secure disposal of personal information
NHS staff and staff working within organisations processing NHS information must follow these guidelines.
How we protect personal information
We take care to ensure your personal information is only accessible to authorised people. Our staff have a legal and contractual duty to keep personal health information secure, and confidential. We do this by:
- ensuring all staff and subcontractors undertake mandatory training in data protection and IT security
- ensuring compliance with NHS Scotland Information Security Policy
- following organisational policy and procedures on the safe handling of personal information
- having access controls and audits of electronic systems
- ensuring that organisations that process personal information held by NHS Scotland comply with Cyber Essentials® and work towards information security best practices, such us the ISO 27001 Standard
NHS Scotland is committed to continually improving the security of your data.
When planning the development of new information systems or services, NHS Scotland follow the principles of 'Privacy by Design'. This means that we will always use your personal information appropriately.
NHS Scotland groups ensure this process is followed. These groups include:
- Public Benefit and Privacy Panel for Health & Social Care
- CHI Advisory Group
- Caldicott Guardians Forum
- Information Governance Group
This section describes your data protection rights within NHS Scotland.
The right to be informed
NHS Scotland must explain how we use your personal information. To do this we have produced:
- this data protection notice
- patient information leaflets
You can also speak to a member of staff involved in your care.
The right of access
You have the right to access your own personal information.
This right includes making you aware of what information we hold. It also gives you the opportunity to check that we are using your information fairly and legally.
You have the right to obtain:
- confirmation that your personal information is being held or used by us
- access to your personal information
- additional information about how we use your personal information
We must provide this information free of charge, however in certain circumstances we may charge a reasonable fee or refuse to process your request such as:
- if your request is considered unfounded or excessive
- or if you request the same information more than once
If you would like to access your personal information, you can do this by contacting the relevant data controller (for example your local NHS Board or GP).
Once the relevant data controller has received your request and you have provided them with enough information for them to locate your personal information, they will respond to your request within one month . However if your request is complex they may take up to two months, to respond. If this is the case the data controller will explain the reason for the delay.
The right to rectification
If the personal information held by an NHS Scotland organisation (the data controller) is inaccurate or incomplete you have the right to have this corrected.
If it is agreed that your personal information is inaccurate or incomplete the data controller will aim to amend your records accordingly. The original information, along with an explanation of why information has been corrected or amended, must remain on our records as an audit trail.
The data controller will normally amend records within one month. If they need more time to do this they will let you know. They may need another two months if the request is complex. In this case they will contact you as quickly as possible to explain why.
Where possible we will restrict access to your records to ensure that inaccurate or incomplete information is not used until amended. However, if your safety is at risk, we will continue allowing access.
If for any reason the data controller has shared your information with anyone else, perhaps during a referral to another service for example, they will notify them of the changes required so that we can ensure their records are also accurate.
If on consideration of your request the data controller does not consider your personal information inaccurate they will add a note to your record stating your concerns about the information. If this happens we will let you know why.
If you are unhappy about how an NHS organisation responds to your request for rectification you can complain to the Information Commissioner’s Office, or take legal action.
The right to object
You have the right to object to your information being used. NHS Scotland will consider your request and respond within 1 calendar month.
If NHS Scotland can demonstrate compelling legitimate grounds to use your personal information (for example, when it is needed for patient safety or as evidence to support legal claims) your right will not be upheld.
You have other rights under current Data Protection Law. However these rights only apply in certain circumstances. More information on these rights can be found on the Information Commissioner’s Office website.
The right to complain
Every Data Controller in NHS Scotland has employed or nominated a data protection officer to check that they handle personal information in a way that meets data protection law requirements. If you are unhappy with the way in which we use your personal information please contact your local data protection officer.
You also have the right to complain to the Information Commissioner’s Office (ICO) about how we use your personal information.
Other languages and formats
This information can be provided in other languages and formats on request. The NHS inform helpline provides an interpreting service.
Your local NHS Data Protection Officer
If you have a data protection concern, please contact your local NHS Data Protection Officer first.
Your local Caldicott Guardian
Every NHS organisation has a Caldicott Guardian responsible for protecting patient identifiable information. The Caldicott Guardian ensures patient privacy is protected.
|NHS Ayrshire and Arran||Dr Crawford McGuffie|
|NHS Borders||Dr Sohail Bhatti|
|NHS Dumfries and Galloway||Dr Ken Donaldson|
|NHS Fife||Dr Chris Mckenna|
|NHS Forth Valley||Dr Andrew Murray|
|NHS Grampian||Professor Nick Fluck|
|NHS Greater Glasgow and Clyde||Dr Emilia Crighton|
|NHS Highland||Dr Tim Allison|
|NHS Lanarkshire||Professor Josephine Pravinkumar|
|NHS Lothian||Tracey Gilles|
|NHS Orkney||Dr Louise Wilson|
|NHS Shetland||Dr Kirsty Brightwell|
|NHS Tayside||Dr Pamela Johnston|
|NHS Western Isles||Dr Maggie Watts|
|NHS Education for Scotland||Dr David H Felix|
|Public Health Scotland||Dr Nick Phin|
|Golden Jubilee Hospital||Dr Mark MacGregor|
|NHS 24||Dr Laura Ryan|
|Scottish Ambulance Service||Dr James Ward|
|The State Hospital||Dr Duncan Alcock|
|NHS National Services Scotland||Dr Lorna Ramsay and Dr Brendan O'Brien (Deputy)|
|Healthcare Improvement Scotland||Dr George Fernie|
Contact the Health and Social Care Directorate at Scottish Government
Scottish Ministers are responsible for the NHS in Scotland. The Chief Executive of the NHS Scotland is the Director General of Health and Social Care within the Scottish Government.
You can contact the National Information Governance Team for Health and Care by email DHCIG@gov.scot.
If you have concerns about the Scottish Government's compliance with data protection laws please contact DataProtectionOfficer@gov.scot.
24 February 2023
Help us improve NHS inform
Feedback Alert Title