Skip to main content

beta This is a new site, your feedback will help us to improve it.


Counter Fraud - Data Protection

Published on 20 August 2021

How we use personal information

The Counter Fraud Services (CFS) is part of the strategic business unit, Practitioner & Counter Fraud Services within NHS National Services Scotland (NHS NSS). NSS is a public organisation created in Scotland. You can find more information by visiting the website.

NSS is the common name of the Common Services Agency for the Scottish Health Service. CFS provides counter fraud services to the various health hoards and other entities that make up NHSScotland, as well as to other public sector organisations in Scotland. Further information on the functions of the Common Service Agency can be found by visiting the Website.

We are committed to protecting and respecting the privacy of individuals whose personal information is held and processed by CFS and complying with its obligations under the General Data Protection Regulation (EU) 2016/679 (the GDPR) and Part 2 and/or Part 3 of the Data Protection Act 2018.

This data protection notice explains:

  • the types of personal information that we collect and process in relation to our function
  • how we obtain and use personal information
  • when we may disclose personal information to third parties

General details about NSS, including its legal basis for using personal information and how NSS handles personal information are available on the NSS data protection page.

What personal information is collected and processed?

CFS collects data appropriate for preventing, detecting and investigating crime or other irregularities within the NHS, ensuring that personal data is adequate, relevant and not excessive for the purposes for which it is processed.

This includes personal and special category information (e.g. racial or ethnic origin, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation). Find out what information we collect and process, and additionally please see the section what information we collect, use and disclose.

Data is collected:

  • through the process of data sharing with the wider NHS, public sector and professional regulatory bodies;
  • when you access treatment or services and sign a form at the dentist or optician;
  • through the CFS Fraud Reporting telephone line and online fraud reporting tool;
  • during the course of CFS investigations, intelligence gathering, proactive projects and prevention initiatives;
  • when a general enquiry is made;
  • if we ask for information when a problem is reported regarding the services provided by the organisation; and
  • if contacted, a record will be kept of that correspondence or telephone call.

Where CFS processes your personal data for purposes relating to the organisation’s statutory function, the GDPR and Part 2 of the Data Protection Act 2018 apply.

Where CFS processes your personal data for law enforcement purposes in connection with our statutory functions, Part 3 of the Data Protection Act 2018 applies.

Under the above provisions, CFS’s lawful bases for processing the types of personal data fall within the permitted category - processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority.

Where CFS processes your personal data for other general activities e.g. paying a supplier, our legal basis is that the information is needed for the purposes of our, or a third party’s legitimate interests in those activities.

CFS’s lawful bases for processing special category personal data fall within the GDPR Article 9(2)(h) - health or social care treatment and services, and the Data Protection Act 2018 Schedule 1 Part 1 paragraph 2(2)(f) - the management of health care systems or services.

What personal information is shared, with whom, and in what circumstances?

We share personal and special category data (e.g. racial or ethnic origin, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation’) only when it is lawful to do so. We will not transfer this information outside the United Kingdom.

This sharing is explained in the form signed by patients when they access primary care services. To further increase the transparency of data sharing arrangements, we have detailed below what information is shared, when and why.

Finally, where necessary, we have documented Information Sharing Agreements which are subject to scrutiny and approval of senior managers in NSS and partner organisations.

nformation submitted via our fraud and corruption reporting line portals (telephone and online)

CFS provides both online and telephone reporting mechanisms for the reporting of fraud, bribery and corruption affecting the National Health Service.

This type of personal data is processed for law enforcement purposes Under Part 3 of the Data Protection Act 2018. Section 31 of the Act defines law enforcement purposes as:

...’the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security’.

When completing the online reporting form you will be asked to tell us as much as possible about the suspicious circumstances, and if you would like to keep in contact. We will protect your information and not share with others anything which could identify you, unless required to by law. You can choose to keep in contact with CFS through a secure, anonymous and private messenger service enabling us to ask more about your suspicion.

If you provide your personal details, we may ask whether you give permission for the CFS Intelligence Section to pass on your personal details to the CFS Investigation Team or to outside agencies. Where permission is withheld, we will seek to respect your wishes but there may in very rare circumstances be an overriding interest/obligation which may mean your personal details may have to be shared outside of the Intelligence Section. This decision will be made by the CFS Head of Service, who is the senior manager within NSS with responsibility for CFS. It will be recorded, and you will be informed that your personal details have been shared without your permission.

The personal information submitted on forms is stored securely in our systems, where your data is then subject to our internal retention and disposal policy.

Your personal data may be shared by the CFS Intelligence Section with internal teams or external organisations such as the police, other government organisations or regulatory bodies. For example, where the information may be relevant to a live CFS investigation.

Correspondence and contact with the CFS for law enforcement purposes in connection with our statutory functions

Personal information collected under this heading will be processed for law enforcement purposes under Part 3 of the Data Protection Act 2018.

How long we retain the information for

CFS retains information with reference to the NSS retention schedule, which details the minimum retention period for the personal information used by NSS.

Codes of conduct

Our staff have a legal and contractual duty to keep personal information secure and confidential. Each member of staff/worker is required to read and sign the confidentiality statement on an annual basis. All staff/workers must undergo information governance training on a two-yearly basis.

Your rights

You can find out more about your rights in relation to the information about you used by NHS NSS (including CFS) by visiting the NSS Homepage.

If you would like to access information about you which is held by CFS, or make any objection or other request in relation to CFS’ use of your information, you can do this by contacting:

NSS Data Protection Officer, Gyle Square, 1 South Gyle Crescent, Edinburgh EH12 9EB

Telephone: 0131 275 6000 E-mail:

What information we collect, use and disclose

The folowing information specifically outlines the data that we collect, use and disclose.

Health information

  • all data on optometry claim (both paper and electronic)
  • all data on prescription (both paper and electronic)
  • all data on dental claim (both paper and electronic)
  • all data on GP practice registration form (electronic)
  • patient demographic data only – no treatment information
  • patient demographic data and cost of prescriptions only – no prescription drug information

Personal information

  • personal details
  • family details
  • education, training and employment details
  • financial details
  • goods and services
  • lifestyle and social circumstances
  • complainants
  • visual images, personal appearance and behaviour
  • responses to surveys
  • residents in care homes
  • landlords
  • carers

Special category information

  • details held in patient record cards
  • racial and ethnic origin
  • trade union membership
  • physical or mental health details
  • religious or similar beliefs
  • sexual life

Law enforcement information

  • offences and alleged offences
  • criminal proceedings, outcomes and sentences

Other organisations

  • family health services contractors
  • professional experts and consultants
  • health boards, integrated joint health boards suppliers
  • employees (including of other organisations)
  • board and committee memberspublic sector body service providers or their users
  • registered charities

How we collect the data

Information may be collected by CFS by means of data sampling of claims made by NHSScotland patients or other individuals:

  • for full or partial help with health costs
  • has been identified as potentially committing fraud
  • exemption from relevant patient charges
  • subject to enquiries in respect of proper entitlement to health care as an overseas visitor.

Information may be provided to CFS by means of intelligence or information reports, either by telephone or online, and either by named individuals or organisations, in confidence, or anonymously.

Information may also be provided by the legal advisors or union representatives appointed by the individual to whom the information relates.

The use of the data

Information is used, to the extent necessary, for the prevention, detection and investigation of crime or other irregularities as part of the provision of a counter fraud service.

Information will also be used, to the extent necessary, to comply with our statutory and regulatory obligations.

Disclosure of the data

We may disclose personal information to the following parties, in each case where CFS is required to do so, in connection with the prevention, detection and investigation of crime or the recoveries of relevant patient charges:

• Home Office • the court or tribunal, whichever is relevant • the Crown Office & Procurators Fiscal Service • Business Services Authority • Audit Scotland • Department for Work and Pensions • NHS Scotland Practitioner Services • HM Revenues and Customs • expert witnesses, where expert witnesses have been engaged by CFS, to allow the expert witnesses to provide their statement and/or testimony • where a witness has witnessed an event or a course of behaviour, etc. The disclosure will be limited to that required to allow factual witnesses to provide their statement and/or testimony.

We may also disclose personal data that it holds to the following parties, for the following specified purposes:

• the Scottish Government or other relevant body, where this is required in connection with any fatal accident inquiry, public inquiry or other statutory inquiry • relevant professional regulatory bodies, such as the General Medical Council, the General Dental Council, the Nursing and Midwifery Council, etc., where this is required in required in order to comply with any statutory or regulatory obligation.

Document Control Information

Version: 1.0 Date: September 2021 Revision History: Initial publish on the NSS web platform