Data protection

About us

NHS National Services Scotland (NHS NSS) is a public organisation created in Scotland under section 10 of the National Health Service (Scotland) Act 1978 (the 1978 Act) (external link).

‘NHS National Services Scotland’ is the common name of the Common Services Agency for the Scottish Health Service.

We’re one of the organisations which form part of NHS Scotland.

Why we use personal information

As an organisation, we’ve been given tasks by the Scottish Government so we can promote and improve the physical and mental health of the people of Scotland and play our part in operating a comprehensive and integrated national health service in Scotland.

These tasks (or functions as they are described in the legislation), are given to us under the 1978 Act and related legislation like the National Health Service (Functions of the Common Services Agency) (Scotland) Order 2008 (external link) and the National Health Service (Functions of the Common Services Agency) (Scotland) Amendment Order 2014 (external link).

Along with all health boards within NHS Scotland, we use personal information to:

• support the administration of health and care services
• carry out data matching under the national fraud initiative
• conduct research
• support and manage our employees
• maintain our accounts and records
• use CCTV systems for crime prevention

We also use personal information to help us fulfil specific tasks that we’ve been given as an organisation, like administering:

• blood transfusion (blood, tissues and stem cells) services
• consultancy and advisory services
• counter-fraud processing
• legal services
• lending, hire and library services
• the National Appeal Panel for Entry to the Pharmaceutical List (external link)

Delivering our services

You can find more details on how we use personal information to deliver our services on the following websites:

• Supplying safe high quality blood, tissues, products and services across the country – visit our Scotblood website (external link).
• Commissioning screening and specialist healthcare services – visit our National Services Division website (external link).
• Delivering specialist technical guidance, support and advice on healthcare buildings and equipment – visit our Health Facilities Scotland website (external link)
• Providing a central procurement service including specialist advice and commercial solutions – visit our NHS National Procurement website (external link).
• Ensuring quality local treatment by paying General Practitioners (GPs), dentists, opticians and pharmacists and updating the Community Health Index (CHI) database – visit the practitioner section of our website.
• Protecting Scotland’s health from the impact of fraud – visit the Counter Fraud Services section of our website.
• Providing legal services to NHS Scotland and the Scottish public sector – visit our Central Legal Office (CLO) website (external link).
• Providing a range of professional meetings and events services and resources – visit our Scottish Health Service Centre (SHSC) website (external link).

Why we use personal information during the coronavirus (COVID-19) pandemic

Your data is being used in different ways or in different settings during the response to COVID-19 so that we can better inform our decision making and protect the public in this rapidly evolving situation.

The fundamental reason for using your data is still so that we can fulfil our role as a health board, for the purposes of managing your healthcare and of managing the healthcare system. This overall privacy notice explains our role in full and your data protection and data rights are not affected by how we’re using your data during the response to COVID-19.

We want you to be aware of some additional activities we’re undertaking. We will update this page from time to time as appropriate. Please do get in touch if you have any questions or concerns or you wish to exercise any of your data rights by emailing nss.dataprotection@nhs.scot

We remain focused on the COVID-19 response at present, so we ask for your understanding if our response times are slower than normal or we cannot fulfil all of your request at present. We continue to take steps to safeguard your data including the use of rapid risk assessments when we change something and using information sharing, data processing or confidentiality agreements as needed.

We are supporting the Scottish Government, Public Health Scotland (PHS) and NHSScotland health boards in the response to COVID-19. If you wish to find out how personal and healthcare data is being used during the COVID-19 response please read the Scottish Government's Information Governance COVID-19 Privacy Statement.

We provide some additional detail on our activities below and we’ll update this information periodically as our response to COVID-19 progresses. In many of the activities mentioned below, NSS is a joint controller of the relevant data, alongside PHS. PHS also have their own Privacy Notice.

How data is being used during COVID-19

During the COVID-19 pandemic, we’re processing data to help us carry out tasks or functions which relate to:

• shielding
• testing
• contact tracing

We believe that this processing is necessary for protecting public health, health care purposes, statistical purposes and performing a task in the public interest. It also ties into the tasks (or functions) that we carry out, as directed by the laws mentioned in the why we use personal information section.

Shielding

With PHS, we are controllers of the list of ‘shielded’ citizens in Scotland.

What we’ve done

We’ve provided information governance support and advice in relation to the shielding data set and we’ve been responsible for sending out letters to the identified citizens.

We’ve also provided contact information on those shielded to other public bodies, such as local authorities, to help shielded citizens. We’ve also updated their GP and health board that they are on the list so they can provide appropriate support.

Data being used

• name
• address
• GP name and practice
• health board
• your shielding category where applicable
• Community Health Index (CHI) number

Testing

We’ve supported the testing programme in Scotland by being the collation point of all COVID-19 testing data. NSS is a joint data controller together with PHS and local health boards.

What we’ve done

We provide relevant data to local boards, for tracing and support purposes as well as providing management information to Scottish Government and boards. We use the testing data to inform you of your COVID-19 test result directly through the National Notification Scheme.

Data being used

• name
• address
• CHI number
• date of birth
• where and when you were tested for COVID-19 – where it was a drive through test, we also hold the time and date of the test, and details of the laboratory that processed the test
• your COVID-19 test result
• mobile number or email address

Contact tracing

We’ve set up the National Contact Tracing Centre on behalf of PHS, which together with local health boards will support contact tracing in Scotland.

What we’ve done

We further use the test data to populate the Case Management System which supports contact tracing in Scotland.

Data being used

• name
• address
• CHI number
• contact details such as a mobile or landline number
• gender
• ethnicity
• GP practice details
• details of your COVID-19 test result
• contact tracing information that you provide, such as who you’ve been in contact with and where you’ve been

Impact and policy assessments on our COVID-19 work

To be as transparent as possible, we're publishing the Data Protection Impact Assessments, System Security Policy Assessments and Equality Impact Assessments in relation to the COVID-19 response work we've been delivering on this page. Please note, these have been reviewed to remove any information that may be harmful to the organisation should this be released into the public domain. If you have trouble accessing these documents or would like them in a different format or language, please contact NSS.EqualityDiversity@nhs.scot

Simple tracing tool

• Simple tracing tool - Data Protection Impact Assessment
• Simple tracing tool - Equality Impact Assessment
• Simple tracing tool - System Security Policy

National Notification Service (NNS) and test data

• NNS - Data Protection Impact Assessment
• NNS - System Security Policy
• Test data - Data Protection Impact Assessment
• Test data for BI - Data Protection Impact Assessment

Case Management System (CMS)

• CMS - Data Protection Impact Assessment
• CMS - Equality Impact Assessment - Focus Group Meeting
• CMS - Equality Impact Assessment - Follow-up Meeting
• CMS - System Security Policy
• CMS - telephony - System Security Policy

Our legal basis for using personal information

Under data protection law, we have responsibilities as a ‘data controller’. A data controller decides why and how we use personal information. This means that we need to have a legal basis when using personal information.

We consider that the tasks and functions we perform are in the public interest. This means that our legal basis for using personal information is usually that the information is needed for performing a task we’re carrying out in the public interest, or exercising official authority vested in us.

In some situations we may rely on a different legal basis – for example, our legal basis for using personal information to pay a supplier is that the information is needed for the purposes of our legitimate interests as a buyer of goods and services.

Our legal basis when we are using more sensitive types of personal information, including health information, is usually that the use is necessary:

• for providing health or social care or treatment or managing health or social care systems and services
• for reasons of public interest in the area of public health
• for reasons of substantial public interest for aims that are proportionate and respect people’s rights
• for archiving, scientific or historical research, or statistical purposes - as long as appropriate safeguards are in place
• in order to protect the vital interests of an individual
• for establishing, exercising or defending legal claims or in the case of a court order

On rare occasions we may rely on your explicit consent as our legal basis for using your personal information. When we do this we will explain what it means, and the rights that are available to you.

What personal information we use

We use personal information on different groups of people including:

• patients
• staff and volunteers
• contractors
• suppliers
• complainants, enquirers
• people who’ve responded to surveys
• professional experts and consultants
• individuals captured by CCTV

The personal information we use includes information that identifies you like your name, address, date of birth and postcode.

The information we use can relate to:

• personal and family details
• education, training and employment
• financial details
• lifestyle and social circumstances
• goods and services
• visual images
• details held in patient records
• responses to surveys

Sensitive personal information

We also use more sensitive types of personal information, including information about:

• racial or ethnic origin
• religious or philosophical beliefs
• trade union membership
• health
• sex life or sexual orientation
• criminal convictions and offences

Who provides the personal information

When you don’t provide information directly to us, we receive it from other individuals and organisations involved in the delivery of health and care services in Scotland. These include:

• other NHS boards
• primary care contractors such as GPs, dentists, pharmacists and opticians
• other public bodies, for example local authorities
• suppliers of goods and services

How we protect personal information

We take care to ensure your personal information is only accessible to authorised people. Our staff have a legal and contractual duty to keep personal health information secure and confidential.

We’ve put the following security measures in place to protect personal information:

• All staff undertake mandatory training in Data Protection and IT Security.
• We comply with NHS Scotland Information Security Policy.
• We have organisational policy and procedures on safely handling personal information.
• We have access controls and audits of electronic systems.

Sharing personal information with others

Depending on the situation, we may need to share personal information with others. If we do, we’ll only share appropriate, relevant and proportionate personal information and we’ll comply with the law.

Others could include:

• our patients and their chosen representatives or carers
• staff
• current, past and potential employees
• healthcare social and welfare organisations
• suppliers, service providers, legal representatives
• auditors and audit bodies
• educators and examining bodies
• research organisations
• people making an enquiry or complaint
• financial organisations
• professional bodies
• trade unions
• business associates
• courts, tribunals and legal experts
• police forces
• security organisations
• central and local government
• voluntary and charitable organisations

Transferring personal information abroad

We don’t routinely transfer personal information to countries outside of the European Union (EU) or to non-EU countries without an adequate level of data protection. If it becomes necessary then the transfer will comply with data protection law and the NHSScotland Information Security Policy.

How long we retain the information for

We keep personal information as set out in the Scottish Government Records Management: NHS Code of Practice (Scotland) Version 2.1 January 2012 (the code). The code sets out the length of time we need to retain information (called ‘minimum retention periods’) including personal information, held in different types of records like personal health records and administrative records.

We maintain a ‘retention schedule’, as directed by the code, which details the minimum retention period for the personal information we use and how we safely dispose of it.

Your rights

This section contains a description of your data protection rights.

The right to be informed

As an organisation, we must explain how we use your personal information. We use a number of ways to communicate how personal information is used, including:

• this Data Protection Notice
• information leaflets
• discussions with staff providing your care

The right of access

You have the right to access your own personal information.

This right includes making you aware of what information we hold along with the opportunity to satisfy you that we’re using your information fairly and legally.

You have the right to:

• confirmation that your personal information is being held or used by us
• access your personal information
• additional information about how we use your personal information

Although we must provide this information free of charge, we may charge a reasonable fee if your request is considered unfounded or excessive or if you request the same information more than once.

If you’d like to access your personal information, get in touch with us with the details of your request using the following contact details:

NSS Data Protection Officer 
Gyle Square
1 South Gyle Crescent
Edinburgh
EH12 9EB
Tel: 0131 275 6000
Email: nss.dataprotection@nhs.scot

Once we’ve received your request and you’ve provided enough information for us to locate your personal information, we’ll respond to your request within one month (30 days). However we may take longer to respond – by up to two months – if your request is complex. If this is the case we’ll tell you and explain the reason for the delay.

Update - impact of coronavirus on picking up mail

Due to the coronavirus outbreak, many of our staff are working remotely so we cannot guarantee that mail posted to us will be picked up. Instead we ask that you submit any requests by emailing nss.dataprotection@nhs.scot

The right to rectify personal information

If the personal information we hold about you is inaccurate or incomplete you have the right to have this corrected – this is called the right to rectification.

If it’s agreed that your personal information is inaccurate or incomplete we’ll aim to amend your records within one month, or within two months where the request is complex. If more time is needed to fulfil your request, we’ll contact you as quickly as possible to let you know. We can restrict access to your records to ensure that the inaccurate or incomplete information is not used until amended – unless there is a risk to patient safety.

If for any reason we’ve shared your information with anyone else, perhaps during a referral to another service for example, we’ll explain to them the changes needed so they can ensure their records are accurate.

If, when we consider your request fully, we don’t consider the personal information to be inaccurate then we’ll add a comment to your record stating your concerns about the information. If this is the case we’ll contact you within one month to explain our reasons.

If you’re unhappy about how we respond to your request for rectification, we will provide you with information on how you can complain to the Information Commissioner’s Office, or how to take legal action.

The right to object

When we process your personal information, you have the right to object to the processing and also seek that further processing of your personal information is restricted.

Your right to object will not be upheld if we can demonstrate compelling legitimate grounds for processing your personal information, like patient safety or for evidence to support legal claims.

The right to complain

We employ a Data Protection Officer to check that we handle personal information in a way that meets data protection law. If you’re unhappy with the way we use your personal information, please contact our Data Protection Officer:

NSS Data Protection Officer 
Gyle Square
1 South Gyle Crescent
Edinburgh
EH12 9EB
Tel: 0131 275 6000
Email: nss.dataprotection@nhs.scot

You also have the right to complain about how we use your personal information to the Information Commissioner’s Office (ICO). You can find details on how to complain on the ICO website (external link).

Other rights

There are other rights under current data protection law, however these rights only apply in certain circumstances.

Download information on your other data protection rights (PDF, 47KB)

Download this full Data Protection Notice (PDF, 294KB)

Accessibility and translations

If you need this information in another format or a community language please contact:

Email: NSS.EqualityDiversity@nhs.scot

Tel: 0131 275 7457
Textrelay: 01800 275 7457 
Website: contactscotland-bsl.org/reg/