Skip to main content

Counter Fraud Services (CFS) – Data Protection Notice

Published on 27 September 2023

How we use personal information

The Counter Fraud Services (CFS) is part of our Practitioner and Counter Fraud Services (P&CFS) directorate within NHS National Services Scotland (NSS). NSS is a public organisation created in Scotland under Section 10 of the National Health Service (Scotland) Act 1978.

NSS is the common name of the Common Services Agency for the Scottish Health Service. CFS provides counter fraud services to the various Health Boards and other entities that make up NHSScotland, as well as to other public sector organisations in Scotland. Further information on the functions of the Common Service Agency can be found on the website.

We are committed to protecting and respecting the privacy of individuals whose personal information is held and processed by CFS and complying with its obligations under the General Data Protection Regulation (EU) 2016/679 (the GDPR) and Part 2 and/or Part 3 of the Data Protection Act 2018.

This data protection notice explains:

  • the types of personal information that we collect and process in relation to our function
  • how we obtain and use personal information
  • when we may disclose personal information to third parties

General details about NSS, including its legal basis for using personal information and how NSS handles personal information are available on our Privacy Notice - Data Protection page on our website.

What personal information is collected and processed?

CFS collects data appropriate for preventing, detecting and investigating crime or other irregularities within the NHS, ensuring that personal data is adequate, relevant and not excessive for the purposes for which it is processed.

This includes personal and special category information (e.g. racial or ethnic origin, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation). Find out what information we collect and process, and additionally please see the closing section 'What information we collect, use and disclose'.

Data is collected:

  • through the process of data sharing with the wider NHS, public sector, and professional regulatory bodies
  • when you access treatment or services and sign a form at the dentist or optician
  • through the CFS Fraud Reporting telephone line and online fraud reporting tool
  • during the course of CFS investigations, intelligence gathering, proactive projects and prevention initiatives
  • when a general enquiry is made
  • if we ask for information when a problem is reported regarding the services provided by the organisation
  • if contacted, a record will be kept of that correspondence or telephone call

Where CFS processes your personal data for purposes relating to the organisation’s statutory function, the GDPR and Part 2 of the Data Protection Act 2018 apply.

Where CFS processes your personal data for law enforcement purposes in connection with our statutory functions, Part 3 of the Data Protection Act 2018 applies.

Under the above provisions, CFS’s lawful bases for processing the types of personal data fall within the permitted category – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority.

Where CFS processes your personal data for other general activities e.g., paying a supplier, our legal basis is that the information is needed for the purposes of our, or a third party’s legitimate interests in those activities.

CFS’s lawful bases for processing special category personal data fall within the GDPR Article 9(2)(h) – health or social care treatment and services, and the Data Protection Act 2018 Schedule 1 Part 1 paragraph 2(2)(f) – the management of health care systems or services.

What personal information is shared, with whom, and in what circumstances?

We share personal and special category data (e.g. racial or ethnic origin, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation) only when it is lawful to do so. We will not transfer this information outside the United Kingdom.

This sharing is explained in the form signed by patients when they access primary care services. To further increase the transparency of data sharing arrangements, we have detailed below what information is shared, when and why.

Finally, where necessary, we have documented Information Sharing Agreements which are subject to scrutiny and approval of senior managers in NSS and partner organisations.

Information submitted via our fraud and corruption reporting line portals (telephone and online)

CFS provides both online and telephone reporting mechanisms for the reporting of fraud, bribery and corruption affecting the National Health Service.

This type of personal data is processed for law enforcement purposes Under Part 3 of the Data Protection Act 2018. Section 31 of the Act defines law enforcement purposes as:

...'the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security'.

When completing the online reporting form you will be asked to tell us as much as possible about the suspicious circumstances, and if you would like to keep in contact. We will protect your information and not share with others anything which could identify you, unless required to by law. You can choose to keep in contact with CFS through a secure, anonymous, and private messenger service enabling us to ask more about your suspicion.

If you provide your personal details, we may ask whether you give permission for the CFS Intelligence Section to pass on your personal details to the CFS Investigation Team or to outside agencies. Where permission is withheld, we will seek to respect your wishes but there may, in very rare circumstances, be an overriding interest/ obligation which may mean your personal details may have to be shared outside of the Intelligence Section. This decision will be made by the CFS Head of Service, who is the senior manager within NSS with responsibility for CFS. It will be recorded, and you will be informed that your personal details have been shared without your permission.

The personal information submitted on forms is stored securely in our systems, where your data is then subject to our internal retention and disposal policy.

Your personal data may be shared by the CFS Intelligence Section with internal teams or external organisations such as the police, other government organisations or regulatory bodies. For example, where the information may be relevant to a live CFS investigation.

Correspondence and contact with the CFS for law enforcement purposes in connection with our statutory functions

Personal information collected under this heading will be processed for law enforcement purposes under Part 3 of the Data Protection Act 2018.

How long we retain the information for

CFS retains information as set out within the Scottish Government Records Management Code of Practice for Health and Social Care (Scotland) 2020. NSS maintain a “retention schedule”, as directed by the code, which details the minimum retention period for the personal information we use and how we dispose of it safely.

Codes of conduct

Our staff have a legal and contractual duty to keep personal information secure and confidential. Each member of staff/ worker is required to read and sign the confidentiality statement on an annual basis. All staff/ workers must undergo information governance training on a three-yearly basis.

Your rights

The right to be informed

As an organisation, we must explain how we use your personal information. We use a number of ways to communicate how personal information is used, including:

  • this Data Protection Notice
  • information leaflets
  • discussions with staff providing your care

The right of access

You have the right to access your own personal information.

This right includes making you aware of what information we hold along with the opportunity to satisfy you that we’re using your information fairly and legally.

You have the right to:

  • confirmation that your personal information is being held or used by us
  • access your personal information
  • additional information about how we use your personal information

Although we must provide this information free of charge, we may charge a reasonable fee if your request is considered unfounded or excessive or if you request the same information more than once.

If you’d like to access your personal information, get in touch with us with the details of your request using the following contact details:

NSS Data Protection Officer, Gyle Square, 1 South Gyle Crescent, Edinburgh, EH12 9EB | Tel: 0131 275 6744 | Email:

Once we’ve received your request and you’ve provided enough information for us to locate your personal information, we’ll respond to your request within one month (30 days). However, we may take longer to respond – by a further two months – if your request is complex. If this is the case, we’ll tell you and explain the reason for the delay.

How to contact us

Many of our staff are working remotely so electronic communication is the most efficient way to contact us. Although post is possible, we ask that you submit any requests by emailing

Please note that any personal information sent from a email account to the data protection mailbox is unsecure and not encrypted. If you wish to send this information via email, you will need to accept the risk of personal identifiable information being sent via the internet without encryption.

The right to rectification

If the personal information we hold about you is inaccurate or incomplete, you have the right to have this corrected – this is called the right to rectification.

If it’s agreed that your personal information is inaccurate or incomplete, we’ll aim to amend your records within one month, or within two months where the request is complex. If more time is needed to fulfil your request, we’ll contact you as quickly as possible to let you know. We can restrict access to your records to ensure that the inaccurate or incomplete information is not used until amended – unless there is a risk to patient safety.

If for any reason we’ve shared your information with anyone else, perhaps during a referral to another service for example, we’ll explain to them the changes needed so they can ensure their records are accurate.

If, when we consider your request fully, we don’t consider the personal information to be inaccurate then we’ll add a comment to your record stating your concerns about the information. If this is the case, we’ll contact you within one month to explain our reasons.

If you’re unhappy about how we respond to your request for rectification, we will provide you with information on how you can complain to the Information Commissioner’s Office, or how to take legal action.

The right to object

When we process your personal information, you have the right to object to the processing and seek that further processing of your personal information is restricted.

Your right to object will not be upheld if we can demonstrate compelling legitimate grounds for processing your personal information, like patient safety, the need to deliver a public service, or for evidence to support legal claims.

The right to complain

NHS NSS employs a Data Protection Officer to check that we handle personal information in a way that meets data protection law. If you’re unhappy with the way we use your personal information, please contact our Data Protection Officer:

NSS Data Protection Officer
Gyle Square
1 South Gyle Crescent
EH12 9EB
Tel: 0131 275 6744

You also have the right to complain about how we use your personal information to the Information Commissioner’s Office (ICO). Details about this are on their website at Our ICO registration number is Z5801192.

Other rights

There are other rights under current data protection law, however these rights only apply in certain circumstances.

If you would like to access information about you which is held by CFS, or make any objection or other request in relation to CFS’ use of your information, you can do this by contacting:

NSS Data Protection Officer, Gyle Square, 1 South Gyle Crescent, Edinburgh EH12 9EB | Tel: 0131 275 6744 | Email:

What information we collect, use and disclose

Details of what information Counter Fraud Services collect, use, and disclose is provided below.

Types of data

Health Information:

  • all data on optometry claim (both paper and electronic)
  • all data on prescription (both paper and electronic)
  • all data on dental claim (both paper and electronic)
  • all data on GP practice registration form (electronic)
  • patient demographic data only – no treatment information
  • patient demographic data and cost of prescriptions only – no prescription drug information

Personal Information:

  • personal details
  • family details
  • education, training and employment details
  • financial details
  • goods and services
  • lifestyle and social circumstances
  • complainants
  • visual images, personal appearance and behaviour
  • responses to surveys
  • residents in care homes
  • landlords
  • carers

Special Category Information:

  • details held in patient record cards
  • racial and ethnic origin
  • trade union membership
  • physical or mental health details
  • religious or similar beliefs
  • sexual life

Law Enforcement Information:

  • offences and alleged offences
  • criminal proceedings, outcomes and sentences

Other Organisations:

  • family health services contractors
  • professional experts and consultants
  • health boards, integrated joint health boards suppliers
  • employees (including of other organisations)
  • board and committee members
  • public sector body service providers or their users
  • registered charities


Information may be collected by CFS by means of data sampling of claims made by NHSScotland patients or other individuals:

  • for full or partial help with health costs
  • has been identified as potentially committing fraud
  • exemption from relevant patient charges
  • subject to enquiries in respect of proper entitlement to health care as an overseas visitor

Information may be provided to CFS by means of intelligence or information reports, either by telephone or online, and either by named individuals or organisations, in confidence, or anonymously.

Information may also be provided by the legal advisors or union representatives appointed by the individual to whom the information relates.


Information is used, to the extent necessary, for the prevention, detection and investigation of crime or other irregularities as part of the provision of a counter fraud service.

Information will also be used, to the extent necessary, to comply with our statutory and regulatory obligations.


We may disclose personal information to the following parties, in each case where CFS is required to do so, in connection with the prevention, detection and investigation of crime or the recoveries of relevant patient charges:

  • Home Office
  • the court or tribunal, whichever is relevant
  • the Crown Office & Procurators Fiscal Service
  • Business Services Authority
  • Audit Scotland
  • Department for Work and Pensions
  • NHS Scotland Practitioner Services
  • HM Revenues and Customs
  • expert witnesses, where expert witnesses have been engaged by CFS, to allow the expert witnesses to provide their statement and/ or testimony
  • where a witness has witnessed an event or a course of behaviour, etc. The disclosure will be limited to that required to allow factual witnesses to provide their statement and/ or testimony

We may also disclose personal data that it holds to the following parties, for the following specified purposes:

  • the Scottish Government or other relevant body, where this is required in connection with any fatal accident inquiry, public inquiry or other statutory inquiry
  • relevant professional regulatory bodies, such as the General Medical Council, the General Dental Council, the Nursing and Midwifery Council, etc., where this is required in required in order to comply with any statutory or regulatory obligation
  • the Police, upon receipt of a valid data disclosure request under the GDPR
  • external auditors where required in connection with any audit of CFS activities
  • service providers to CFS, e.g. IT providers, but such disclosure will be limited to that required for providing the relevant service and will only be effected with service providers who have entered into a contract with NSS in which robust data protection obligations and protections are contained
  • data subjects themselves; and legal and other lawful representatives of the person whose personal data we are processing
  • staff, including of other organisations; healthcare social and welfare organisations
  • auditors and audit bodies
  • debt collection and tracing agencies
  • professional advisers and consultants; business associates; the police; other law enforcement agencies; central and local government