Data protection

NHS National Services Scotland (NHS NSS) is a public organisation created in Scotland under section 10 of the National Health Service (Scotland) Act 1978 (the 1978 Act).

‘NHS National Services Scotland’ is the common name of the Common Services Agency for the Scottish Health Service.

We’re one of the organisations which form part of NHS Scotland.

Why we use personal information

As an organisation, we’ve been given tasks by the Scottish Government so we can promote and improve the physical and mental health of the people of Scotland and play our part in operating a comprehensive and integrated national health service in Scotland.

These tasks (or functions as they are described in the legislation), are given to us under the 1978 Act and related legislation like the National Health Service (Functions of the Common Services Agency) (Scotland) Order 2008 (external link) and the National Health Service (Functions of the Common Services Agency) (Scotland) Amendment Order 2014 (external link).

Along with all health boards within NHS Scotland, we use personal information to:

• support the administration of health and care services
• provide information to other agencies to assist in the prevention and detection of fraud
• conduct research for the improvement of healthcare
• support and manage our employees
• maintain our accounts and records
• use CCTV systems for crime prevention

We also use personal information to help us fulfil specific tasks that we’ve been given as an organisation, like administering:

• blood transfusion (blood, tissues and stem cells) services
• consultancy and advisory services
• counter-fraud processing
• legal services
• lending, hire and library services
• the National Appeal Panel for Entry to the Pharmaceutical List (external link) 

Our legal basis for using personal information

Under data protection law, we have responsibilities as a ‘data controller’. A data controller decides why and how we use personal information. This means that we need to have a legal basis when using personal information.

We consider that the tasks and functions we perform are in the public interest. This means that our legal basis for using personal information is usually that the information is needed for performing a task we’re carrying out in the public interest, or exercising official authority vested in us.

In some situations we may rely on a different legal basis – for example, our legal basis for using personal information to pay a supplier is that the information is needed for the purposes of our legitimate interests as a buyer of goods and services.

Our legal basis when we are using more sensitive types of personal information, including health information, is usually that the use is necessary:

• for providing health or social care or treatment or managing health or social care systems and services
• for reasons of public interest in the area of public health
• for reasons of substantial public interest for aims that are proportionate and respect people’s rights
• for archiving, scientific or historical research, or statistical purposes - as long as appropriate safeguards are in place
• in order to protect the vital interests of an individual
• for establishing, exercising or defending legal claims or in the case of a court order

On rare occasions we may rely on your explicit consent as our legal basis for using your personal information. When we do this we will explain what it means, and the rights that are available to you.

What personal information we use

We use personal information on different groups of people including:

• patients
• staff and volunteers
• contractors
• suppliers
• complainants, enquirers
• people who’ve responded to surveys
• professional experts and consultants
• individuals captured by CCTV

The personal information we use includes information that identifies you like your name, address, date of birth and postcode.

The information we use can relate to:

• personal and family details
• education, training and employment
• financial details
• lifestyle and social circumstances
• goods and services
• visual images
• details held in patient records
• responses to surveys

Sensitive personal information

We also use more sensitive types of personal information, including information about:

• racial or ethnic origin
• religious or philosophical beliefs
• trade union membership
• health
• sex life or sexual orientation
• criminal convictions and offences

Who provides the personal information

When you don’t provide information directly to us, we receive it from other individuals and organisations involved in the delivery of health and care services in Scotland. These include:

• other NHS boards
• primary care contractors such as GPs, dentists, pharmacists and opticians
• other public bodies, for example local authorities
• suppliers of goods and services

How we protect personal information

We take care to ensure your personal information is only accessible to authorised people. Our staff have a legal and contractual duty to keep personal health information secure and confidential.

We’ve put the following security measures in place to protect personal information:

• All staff undertake mandatory training in Data Protection and IT Security.
• We comply with NHS Scotland Information Security Policy.
• We have organisational policy and procedures on safely handling personal information.
• We have access controls and audits of electronic systems.
• Any other organisation to whom we contract work is bound to security standards at least as secure as NSS's.

Sharing personal information with others

Depending on the situation, we may need to share personal information with others. If we do, we’ll only share appropriate, relevant and proportionate personal information and we’ll comply with the law.

Others could include:

• our patients and their chosen representatives or carers
• staff
• current, past and potential employees
• healthcare social and welfare organisations
• suppliers, service providers, legal representatives
• auditors and audit bodies
• educators and examining bodies
• research organisations
• people making an enquiry or complaint
• financial organisations
• professional bodies
• trade unions
• business associates
• courts, tribunals and legal experts
• police forces
• security organisations
• central and local government
• voluntary and charitable organisations

Transferring personal information abroad

We don’t routinely transfer personal information to countries outside of the UK without an adequate level of data protection. If it becomes necessary then the transfer will comply with UK data protection law and the NHS Scotland Information Security Policy.

How long we retain the information for

We keep personal information as set out in the Scottish Government Records Management: NHS Code of Practice (Scotland) Version 2.1 January 2012 (the code). The code sets out the length of time we need to retain information (called ‘minimum retention periods’) including personal information, held in different types of records like personal health records and administrative records.

We maintain a retention schedule as directed by the code, which details the minimum retention period for the personal information we use and how we safely dispose of it.

Your rights

This section contains a description of your data protection rights.

The right to be informed

As an organisation, we must explain how we use your personal information. We use a number of ways to communicate how personal information is used, including:

• this Data Protection Notice
• information leaflets
• discussions with staff providing your care

The right of access

You have the right to access your own personal information.

This right includes making you aware of what information we hold along with the opportunity to satisfy you that we’re using your information fairly and legally.

You have the right to:

• confirmation that your personal information is being held or used by us
• access your personal information
• additional information about how we use your personal information

Although we must provide this information free of charge, we may charge a reasonable fee if your request is considered unfounded or excessive or if you request the same information more than once.

If you’d like to access your personal information, get in touch with us with the details of your request using the following contact details:

NSS Data Protection Officer  Gyle Square 1 South Gyle Crescent Edinburgh EH12 9EB Tel: 0131 275 6000 Email: nss.dataprotection@nhs.scot

Once we’ve received your request and you’ve provided enough information for us to locate your personal information, we’ll respond to your request within one month (30 days). However we may take longer to respond – by up to two months – if your request is complex. If this is the case we’ll tell you and explain the reason for the delay.

How to contact us

Many of our staff are working remotely so electronic communication is the most efficient way to contact us. Although post is possible, we ask that you submit any requests by emailing nss.dataprotection@nhs.scot

The right to rectify personal information

If the personal information we hold about you is inaccurate or incomplete you have the right to have this corrected – this is called the right to rectification.

If it’s agreed that your personal information is inaccurate or incomplete we’ll aim to amend your records within one month, or within two months where the request is complex. If more time is needed to fulfil your request, we’ll contact you as quickly as possible to let you know. We can restrict access to your records to ensure that the inaccurate or incomplete information is not used until amended – unless there is a risk to patient safety.

If for any reason we’ve shared your information with anyone else, perhaps during a referral to another service for example, we’ll explain to them the changes needed so they can ensure their records are accurate.

If, when we consider your request fully, we don’t consider the personal information to be inaccurate then we’ll add a comment to your record stating your concerns about the information. If this is the case we’ll contact you within one month to explain our reasons.

If you’re unhappy about how we respond to your request for rectification, we will provide you with information on how you can complain to the Information Commissioner’s Office, or how to take legal action.

The right to object

When we process your personal information, you have the right to object to the processing and also seek that further processing of your personal information is restricted.

Your right to object will not be upheld if we can demonstrate compelling legitimate grounds for processing your personal information, like patient safety, the need to deliver a public service, or for evidence to support legal claims.

The right to complain

We employ a Data Protection Officer to check that we handle personal information in a way that meets data protection law. If you’re unhappy with the way we use your personal information, please contact our Data Protection Officer:

Email: nss.dataprotection@nhs.scot

You also have the right to complain about how we use your personal information to the Information Commissioner’s Office (ICO). You can find details on how to complain on the ICO website (external link).

Other rights

There are other rights under current data protection law, however these rights only apply in certain circumstances.

Download information on your other data protection rights (PDF, 47KB)

Download this full Data Protection Notice (PDF, 294KB)

Accessibility and translations

If you need this information in another format or a community language please contact:

Email: NSS.EqualityDiversity@nhs.scot

Tel: 0131 275 7457 Textrelay: 01800 275 7457  Website: Contact Scotland BSL (external link)