Skip to main content
NHS National Services Scotland Home
Guidance

Practitioner Services Directorate and Primary Care Contractor Finance Data Protection Notice

Published on 16 April 2024

Who is the Data Controller?

Practitioner Services Directorate is the business unit within NHS National Services Scotland (NSS) which has direct engagement in data flows with primary care contractors, and manages the National Primary Care Clinicians Database (NPCCD). The Primary Care Contractor Finance team manage the Scottish Infected Blood Support Scheme and the Transvaginal Mesh Fund. NHS NSS is a public organisation created in Scotland under Section 10 of the National Health Service (Scotland) Act 1978. NSS is the common name of the Common Services Agency for the Scottish health Service. The NSS Chief Executive has overall accountability for NSS’s compliance with data protection law.

To provide our services we need to collect, use and store personal information. This includes the collection, validation, processing and storage of health and demographic data relating to primary care services received by patients either residing in or accessed in Scotland.

When using personal information our legal bases is that its use is necessary for:

  • Article 6(1)(c) – Processing is necessary for compliance with a legal obligation;
  • Article 6(1)(e) – Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us;
  • Article 9(2)(h) – Providing health or social care treatment or managing health or social care systems or services;
  • Section 10(1)(c), 10(2) and Schedule 1 Part 1 (2) of the Data Protection Act 2018

On some occasions we may rely on another basis, which will usually be that the use is necessary:

  • Article 9(2)(i) - for reasons of public interest in the area of public health; or
  • Article 9(2)(g) - for reasons of substantial interest for aims that are proportionate and respect people’s rights, for example research; or
  • Article 9(2)(c) - in order to protect the vital interests of an individual.

The functions of NSS are further defined in the Functions of the Common Services Agency Order 2008 and the National Health Service (Functions of the Common Services Agency) (Scotland) Amendment Order 2014.

These statutory instruments set out the legal basis for NSS to provide services within NHS Scotland and the wider Scottish public sector, as directed by Scottish Ministers.

Other Regulations and statutory instruments either directly identify NSS as carrying out a function or identify a NHS Board/Scottish Dental Practice Board as having that function which is then discharged on behalf of that organisation by NSS acting under the Functions Order (as amended).

The main Regulations which operate in the primary care environment in NHS Scotland are:

Data Processor

Practitioner Services Directorate also works with a range of subcontractors who are required to provide a variety of health and social care services and support. Sometimes these organisations need access to some of your personal information to carry out activities on behalf of the NHS. These organisations are called 'data processors'.

Data collection, use and retention

What personal information do we use?

We use personal information on:

  • Patients residing in or receiving services from NHS Scotland
  • Primary care contractors (dentists, GPs, pharmacists, optometrists) or their staff providing services to patients in NHS Scotland.

What personal information is collected?

Demographic information

  • Current and previous surnames, forenames
  • Gender
  • Date of birth
  • Community Health Index (CHI) numbers
  • Residential addresses relating to patients

Health information

  • GP medical records
  • Dental treatment applied for or provided under the General Dental Service or Public Dental Services
  • Eye examinations
  • Ophthalmic registration and treatment applied for under the Community Glaucoma Service
  • Prescription data, records of drugs prescribed and dispensed by Community Pharmacies
  • Records of patient registration with primary care contractors who accept the patients under their care

Primary care contractor information

  • Surnames, forenames
  • Gender
  • Date of birth
  • Professional Registration Number
  • Bank details
  • E-mail address
  • Telephone number
  • Residential address

The information is used to provide remuneration to the primary care contractors for the services provided to the patient, for example remuneration of drugs, dental and ophthalmic services and to assess and process specific health related claim applications from patients as required.

GP medical record information is transferred by NSS when patients move GP practices - when a patient leaves a GP practice and registers with a new GP Practice, the record is returned to Practitioner Services and will be transferred to the new practice. We also securely store GP records for patients who are not registered with a GP Practice, move out of the UK or are deceased in line with the Scottish Government Records Management Code of Practice 2020.

Our systems may make automated decisions in respect of payment authorisation, patient data matching/updating, dental treatment approval workflows or audit sampling. Where this is done it is based on predefined business rules and criteria which are regularly reviewed.

National datasets, including the CHI, created and maintained by the processing of transactional data and are more widely used within NHS Scotland for the purposes of clinical governance, service monitoring, financial management and planning.

How is personal information collected?

NSS Practitioner Services Directorate and Primary Care Contractor Finance operates a number of paper and IT systems which collect data from primary care contractors.

Where IT systems are operated, these interface with the local systems operated by the primary care contractors and data is transmitted over secure networks.

Paper collection is through secure, contracted couriers or through local NHS Board provided transport systems.

Where is the personal information stored?

Data on paper is stored in NSS’s secure office premises within Scotland or in our third party archive store located in Scotland.

Data stored electronically is held within secure data centres located within Scotland and is not held outwith the UK.

How is the accuracy of personal information ensured?

Much data is captured electronically as directly entered to local systems by primary care contractors. NSS Practitioner Services carries out a series of data validation processes to ensure the data is of sufficiently high quality to process. Rejected and processed data is reported back to the primary care contractor for review. In addition, Primary Care Contractor Finance operate a number of post processing verification processes to further assure data quality including data quality reviews, post-payment verification, internal and external audits.

What personal information is shared, with whom, and in what circumstances?

Personal information is shared only when it is lawful to do so. NSS operates principally on the basis that data processed by Practitioner Services and Primary Care Contractor Finance is received on a statutory legal basis, not on the basis of consent.

When patients access primary care services, they sign a form which in part is a data protection notice explaining to patients how their data may be lawfully shared. In addition Practitioner Services publishes a patient leaflet which goes into further detail. To further increase the transparency of data sharing arrangements, Practitioner Services has published a patient information leaflet and matrix detailing what information is shared, when and why in (see sections 6-10).

Finally, where necessary, we have documented Information Sharing Agreements which are subject to scrutiny and approval of senior managers in NSS and partner organisations.

What other purposes might the personal information be used for?

Personal information may be anonymised or pseudo-anonymised by NHS Scotland for research and reporting purposes. These processes mean that data can no longer be identified to a named patient.

Personal information may be released to tribunals, hearings or other disciplinary or investigative processes in respect of professional bodies regulating primary care contractors.

Personal information may be released to Police Scotland, other police organisations or other organisations who have statutory powers in the prevention or detection of crime.

Are any third parties involved in the processing of personal information?

  • Nationally and locally appointed couriers, NHS Board transport services and the Royal Mail are used for processing paper records;
  • RSS/Oasis is used for archive storage of paper medical records;
  • Capture All is used for scanning paper medical records into a digital format;
  • SWORD is used for managing NPCCD, a national system used and maintained by all Health Boards and currently contains details of all GPs and GP practice details, Ophthalmic Practitioners and Ophthalmic Practice details validated to work in the Board area and locum for others. The data is used for onward feeding of other NHS systems, such as for verification and payment purposes as well as source data for National extracts. SWORD are currently developing the Dental contractor list.
  • ATOS, who hold the NHS Scotland national IT contract and their sub-contractors in respect of IT systems.

Transfers outwith the UK

Data flows from primary care practitioners to NSS Practitioner Services Directorate and Primary Care Contractor Finance do not flow outwith the UK. NSS does not store or process data outwith the UK.

How long is data retained for?

The retention of data varies depending on the nature of the data involved. Practitioner Services Directorate and Primary Care Contractor Finance comply with the Scottish Government’s Records Management Health & Social Care Code of Practice (2020) and local NSS policies.

Read the Scottish Government's code of practice (external site)

Data security

What IT systems are involved?

NSS operates bespoke and off-the-shelf IT systems which are owned and operated by NSS and Atos the National IT contract supplier. NSS uses Exchange Online, a component of the Office 365 suite of products for email services.

Within Practitioner Services Directorate and Primary Care Contractor Finance, the main systems are:

  • GMS – CHI, Partners, MedEx, Barex, PMSPS, NPCCD
  • Pharmacy – Scanning, ICR, nDCVP, ePharmacy, PIS
  • Dental – Scanning, eDental, PARS, MIDAS, SDRS, data warehouse
  • Optometry – Scanning, eOphthalmic, OPTIX, Data warehouse, NPCCD

What safeguards are in place?

Physical access controls are operated at NSS premises, third party storage facilities and data centres such as swipe access control systems, security guards, CCTV, locked cupboards and rooms.

IT systems are secured by firewalls, secure networks, usernames/passwords including two factor authentication where required and encryption of data in flight and at rest.

How is access to data controlled?

User access to Practitioner Services Directorate and Primary Care Contractor Finance systems is authorised by key personnel, reviewed regularly to ensure that access is commensurate with operational need. User access is revoked when staff leaves the organisation or change role. User access processes are audited annually by external auditors. Passwords are required to be changed regularly in line with the NHS Scotland password standard.

Codes of conduct and privacy policies

Our staff have a legal and contractual duty to keep personal health information secure and confidential. In addition, some professionally registered staff/workers are required to comply with standards set by their professional bodies.

Each member of staff/worker is required to read and sign the confidentiality statement on an annual basis. All staff/workers must undergo information governance training on a three-yearly basis.

Patient privacy/data protection notices

Patient privacy/data protection notices are contained in forms (or their electronic equivalent) that patients are required to sign when registering with/receiving treatment from a primary care contractor.

These data protection notices do not seek the consent of the patient for their data flow to NSS since the legal basis of that sharing is not consent, it is required by the statutory framework referred to in our legal basis section.

Patient privacy/data protection notices are also contained in application forms for specific health related claims where the legal basis is consent.

Your rights

UK GDPR is the framework for data protection laws. Data protection law governs the use of personal information and gives you the right:

The right to be informed

Patients have a right to be informed about how we use personal information. We use a number of ways to do this, including:

  • Data Protection Privacy Notices contained in forms (or their electronic equivalent) which patients are required to sign when registering with/receiving treatment from a primary care contractor
  • Patient Information leaflet
  • Discussions with staff providing your care
  • Primary Care contractors have a right to be informed how we use their personal information. This is done through this Data Protection Privacy Notice.

The right of access

You have a right to see, or have a copy of, the information we hold about you. This right includes making you aware of what information we hold along with the opportunity to satisfy you that we are using your information fairly and legally. You have the right to obtain:

  • Confirmation that your personal information is being held or used by us
  • Access to your personal information
  • Additional information about how we use your personal information

If you would like to access your personal information, you can do this by contacting the NSS Data Protection Officer at the address below:

NSS Data Protection Officer
Gyle Square,
1 South Gyle Crescent,
Edinburgh
EH12 9EB
Tel: 0131 275 6000
Email: nss.dataprotection@nhs.scot

The right to rectification

If the personal information we hold about you is inaccurate or incomplete you have the right to have this corrected.

If it is agreed that your personal information is inaccurate or incomplete we will aim to amend your records accordingly, normally within one month, or within two months where the request is complex. Unless there is a risk to patient safety, we can restrict access to your records to ensure that the inaccurate or incomplete information is not used until amended.

If for any reason we have shared your information with anyone else, we will notify them of the changes required so that we can ensure their records are accurate.

If on consideration of your request we do not consider the personal information to be inaccurate then we will add a comment to your record stating your concerns about the information. If this is case we will contact you within one month to explain our reasons for this.

If you are unhappy about how we have responded to your request for rectification we will provide you with information on how you can complain to the Information Commissioner’s Office, or how to take legal action.

The right to object

You have the right to object to our use of personal information about you in certain circumstances, and also seek that further processing of personal information about you is restricted.

We provide a number of functions on a national basis. These are described in the Functions of the Common Services Agency Order 2008 (external link).

We receive claims along with the personal data about treatment given for the purpose of authorising and making payments to Primary Care Contractors under Regulations and statutory powers.

Patients do not have a right of opt-out to the collection and processing of personal data for services provided by NHS Scotland primary care contractors: it is a requirement of the various Regulations referred to earlier that data is collected, processed and shared in a lawful manner. It is for that reason that the privacy notices on primary care forms do not seek consent or opt-in/outs since consent is not the basis of the processing.

In most instances, data held by NSS Practitioner Services Directorate and Primary Care Contractor Finance is held on a statutory basis and the deletion of the data is not possible since to do so would compromise either NSS to be able to fulfil one of its statutory functions or the function of another NHS Scotland Board or organisation.

For example, the deletion of patients from CHI is not possible since to do so would risk patient mis-identification and also mean that statutory functions such as immunisation and other public health functions placed upon NHS Boards could not be delivered.

Where data is incorrect, that data can be corrected either directly or noted as incorrect (e.g. a historic record of treatment cannot be directly updated). Within GP records, patients may wish that part of their medical history be deleted, but that may be at odds with a statutory requirement and may compromise the NHS’s ability to provide safe and effective care. Such deletion requests would require the agreement of senior medical personnel in the relevant NHS Board if it were to be actioned.

The right to complain

NHS NSS employ a Data Protection Officer to check that we handle personal information in a way that meets data protection law. If you are unhappy with the way in which we use your personal information please tell our Data Protection Officer using the contact details.

NSS Data Protection Officer,
Gyle Square,
1 South Gyle Crescent,
Edinburgh
EH12 9EB
Email: nss.dataprotection@nhs.scot

You also have the right to complain about how we use your personal information to the Information Commissioner’s Office (ICO). Details about this are on their website at www.ico.org.uk.

Other rights

There are other rights under current data protection law, however these rights only apply in certain circumstances. If you wish further information on these rights please look at the data protection pages on the NHS NSS website.

What information is shared - pharmacy

All data on prescriptions (both paper and electronic)

  • Shared by Community Pharmacies with the Common Services Agency (NHS National Services Scotland) to ensure accurate payment of all prescriptions.
  • Shared by the Common Services Agency (NHS National Services Scotland) with NHS Scotland Counter Fraud Services (hosted by the Common Services Agency (NHS National Services Scotland)) for the prevention, detection and investigation of crime, only when a patient, or dispensing contractor (community pharmacy, dispensing doctor, a specialist appliance supplier and stoma provider) has been identified as potentially committing fraud.
  • Shared by the Common Services Agency (NHS National Services Scotland) with Community Pharmacy Scotland to ensure accurate payment of all prescriptions.
  • Shared by the Common Services Agency (NHS National Services Scotland) with Local Authorities with regard to the provision of social care services but only the prescriptions of patients receiving social care where this is requested to be shared.
  • Shared by the Common Services Agency (NHS National Services Scotland) with NHS Boards to ensure accurate payment and for clinical governance of all prescriptions prescribed in or dispensed in that NHS Board area.
  • Shared by the Common Services Agency (NHS National Services Scotland) with UK Regulatory Bodies such as the General Medical Council and General Pharmaceutical Council for professional regulation but only prescriptions of specific patients who have received a prescription from someone under investigation by a Regulatory Body.
  • Scanned prescription images shared by the Common Services Agency (NHS National Services Scotland) with Public Health Scotland and Community Pharmacy Scotland who have a lawful basis to view and retrieve prescription images, to effectively carry out their statutory and legislative obligations.

Patient demographic data only – no prescription information

  • Shared by the Common Services Agency (NHS National Services Scotland) with the NHS Business Services Authority for the prevention, detection and investigation of crime but only in respect of sampling claims from full help with health costs or limited help with health costs.
  • Shared by the Common Services Agency (NHS National Services Scotland) with the Department of Work and Pensions for the prevention, detection and investigation of crime but only in respect of sampling claims from full help with health costs or limited help with health costs.
  • Shared by the Common Services Agency (NHS National Services Scotland) with HM Revenue and Customsfor the prevention, detection and investigation of crime but only in respect of sampling claims from full help with health costs or limited help with health costs.

All data on minor ailment service or chronic registration service forms, or in respect of enhanced services

  • Shared by Community Pharmacies with the Common Services Agency (NHS National Services Scotland) to ensure accurate payment for all patients registered or receiving services under these schemes.

Name and professional registration number of eligible NHS Prescribers for BNF Publications

  • Shared by NHS Boards with the Common Services Agency (NHS National Services Scotland) to validate eligible prescribers and for assurance of administering public funds appropriately annually in May/June for publication distribution in September.

What information is shared - dental

All data on general dental or orthodontic treatment plan or claim form (both paper and electronic) as well as any X-rays and models submitted.

  • Shared by Dentists with the Common Services Agency (NHS National Services Scotland) for treatment authorisation, patient registration with the dentist and accurate payment for all dental claims from General Dental Services.
  • Shared by NHS Boards with the Common Services Agency (NHS National Services Scotland) for treatment authorisation, patient registration with the Public Dental Service and activity recording for all dental claims from Public Dental Service.
  • Shared by the Common Services Agency (NHS National Services Scotland) with NHS Scotland Counter Fraud Services (hosted by the Common Services Agency (NHS National Services Scotland)) for the prevention, detection and investigation of crime, but only when a patient or dentist has been identified as potentially committing fraud.
  • Shared by the Common Services Agency (NHS National Services Scotland) with NHS Boards to ensure accurate payment and clinical governance compliance for all treatment provided to patients in that NHS Board area.
  • Shared by the Common Services Agency (NHS National Services Scotland) with UK regulatory bodies such as the General Dental Council for professional regulation, but only claims, treatment and records for specific patients who have received dental treatment from someone under investigation by a regulatory body.

All data on public dental service claim forms submitted.

  • Shared by the Public Dental Service with the Common Services Agency (NHS National Services Scotland) for the purpose of measuring and monitoring clinical activity within the Public Dental Service.

Patient Dental Records

  • Shared by Dentists with the Common Services Agency (NHS National Services Scotland) for payment verification purposes to satisfy obligations under both the Data Protection Act 2018/GDPR and the GDS Regulations when requested by the Common Services Agency (NHS National Services Scotland).

Patient demographic data only – no treatment information

  • Shared by the Common Services Agency (NHS National Services Scotland) with NHS Business Services Authority for the prevention, detection and investigation of crime, but only in respect of sampling claims for full help with health costs or partial help with health costs.
  • Shared by the Common Services Agency (NHS National Services Scotland) with the Department of Work and Pensions for the prevention, detection and investigation of crime but only in respect of sampling exemption claims from any relevant patient charges.
  • Shared by the Common Services Agency (NHS National Services Scotland) with HM Revenue and Customs for the prevention, detection and investigation of crime, but only in respect of sampling exemption claims from any relevant patient charges.

Patient demographic data and cost of prescriptions only – no prescription drug information

  • Shared by the Common Services Agency (NHS National Services Scotland) with Audit Scotland for the prevention, detection and investigation of crime for data matching exercises to identify public sector employees/independent contractors who make inappropriate claims for exemption.

Patient demographic data and cost of treatment only – no specific treatment information

  • Shared by the Common Services Agency (NHS National Services Scotland) with the Home Office for the prevention, detection and investigation of crime, but only treatment costs for specific patients who are subject to enquires by NHS Scotland healthcare providers or by the Home Office for proscribed offences and/or for recovery of monies, in respect of receipt of NHS Scotland treatment and services as an overseas visitor (non-EEA foreign national).

Results of SDRS examinations

  • Shared by the Common Services Agency (NHS National Services Scotland) with NHS Boards, the patient's dentist or the patient for clinical governance compliance for all patients who have been examined by the SDRS.

Data on named practitioner earnings

  • Shared by the Common Services Agency (NHS National Services Scotland) with HM Revenue & Customs (HRMC) for HMRC statutory functions relating to tax collection annually.

Data on named practitioners.

  • Shared by the Common Services Agency (NHS National Services Scotland) with NHS Digital for the production of official statistics for use by stakeholders in pay negotiations annually on request by NHS Digital.

What information is shared - medical

All data on GP practice registration form (electronic)

  • Shared by General Medical Practices with the Common Services Agency (NHS National Services Scotland) for maintaining the Community Health Index and ensuring accurate payment - all GPR forms from all General Medical Practices in Scotland.
  • Shared by the Common Services Agency (NHS National Services Scotland) with NHS Scotland Counter Fraud Services (hosted by the Common Services Agency (NHS National Services Scotland)) for the prevention, detection and investigation of crime, but only when a patient, GP or other worker in the GP practice has been identified as potentially committing fraud.

All data on GP practice registration form (electronic) as held on CHI

  • Shared by the Common Services Agency (NHS National Services Scotland) with NHS Boards to ensure accurate payment, compliance with clinical governance, Public Health matters and Screening Services for all data relating to all patients registered with General Medical Practices in that NHS Board area.
  • Shared by the Common Services Agency (NHS National Services Scotland) with UK regulatory bodies such as the General Medical Council for professional regulation, but only data relating to specific patients registered by someone under investigation by a regulatory body.

All data on prescription (electronic)

  • Shared by General Medical Practices with the Common Services Agency (NHS National Services Scotland) to support accurate dispensing of the prescription for all prescriptions.

GP medical records (paper and electronic) for patients who are moving to another practice, not registered with a GP Practice, have left the UK or have died.

  • Shared by General Medical Practices with the Common Services Agency (NHS National Services Scotland) to enable the transfer to the next registered GP practice or to retain in secure storage whenever a patient leaves a GP practice or dies.

GP temporary medical records (paper and electronic) for patients who have been seen by someone other than their registered GP practice

  • Shared by General Medical Practices with the Common Services Agency (NHS National Services Scotland) to enable the transfer to the registered GP practice or to retain in secure storage whenever a patient is seen by a GP practice other than the one they are registered with.

GP medical records (paper) for patients who are moving to another practice.

  • Shared by the Common Services (NHS National Services Scotland) with the Paperlight Practices Data Processor to digitise GP records to support paperlight GP working environments routinely as and when a patient moves to a paperlight GP Practice.

Patient demographic data and choice of organ donation

  • Shared by the Common Services Agency (NHS National Services Scotland) with NHS Blood and Transplant for the maintenance of the UK organ donor register, but only whenever a patient decides to provide organ donation information via the GP registration form.

Patient demographic data from the GP Practice registration form

  • Shared by the Common Services Agency (NHS National Services Scotland) with NHSCR/General Registers Office for the maintenance of NHSCR dataset. Demographic data for all patients is shared in order to keep the NHSCR dataset in line with CHI. The NHSCR dataset is used to identify which patients are in which NHS Boards, and which have left Scotland to other parts of the UK.
  • Shared by the Common Services Agency (NHS National Services Scotland) with the Home Office for prevention, detection and investigation of crime but only data for specific patients who are subject to enquiries by NHS Scotland healthcare providers or by the Home Office for proscribed offences, in respect of receipt of NHS Scotland secondary care treatment and services as an overseas visitor (non-EEA foreign national)

Data on named practitioner earnings.

  • Shared by the Common Services (NHS National Services Scotland) with HM Revenue & Customs (HRMC) for HMRC statutory functions relating to tax collection annually.

Data on named practitioners.

  • Shared by the Common Services Agency (NHS National Services Scotland) with NHS Digital for the production of official statistics and the review body on Doctors’ and Dentists’ Remuneration’s annual reports, annually on request by NHS Digital.

Name and professional registration number of eligible NHS Prescribers for BNF Publications

  • Shared by NHS Boards with Common Services Agency (NHS National Services Scotland) to validate eligible prescribers and for assurance of administering public funds appropriately, annually in May/June for publication distribution in September.

Specific demographic and health information relating to claims for SIBSS and Transvaginal Mesh Fund

  • Shared by Patients directly with the Common Services Agency (NHS National Services Scotland) to assess and process claims as required.
  • Shared by the Common Services (NHS National Services Scotland) with NHS Board Healthcare clinicians to verify claims as required.

GP Data in relation to the National Primary Care Clinicians Database (NPPCD)

  • Shared by NHS Boards with the Common Services Agency for GPs to be added to the Performers List. Health Boards are then responsible as Data Controllers for maintaining information on NPCCD for the Health Board.
  • Shared by the Common Services Agency (National Services Scotland) with Public Health Scotland (PHS) to produce General Practice Workforce and Population statistics.
  • Shared by the Common Services Agency (NHS National Services Scotland) with Practitioner & Counter Fraud Services (P&CFS) to update the SML (Supplementary Medical List) system.
  • Shared by the Common Services Agency (NHS National Services Scotland) with Organisation Data Service (ODS) part of NHS Digital for publishing organisation and practitioner unique identifiers and reference data, for use in systems and services in health and social care in England.
  • Shared by the Common Services Agency (NHS National Services Scotland) with NSS Digital & Security Strategic Business Unit to facilitate the extraction and onward feeding of data from NPCCD to other systems.

What information is shared - ophthalmic

All data on General Ophthalmic Service, Community Glaucoma Service or Hospital Eye Service claim forms (both paper and electronic)

  • Shared by Ophthalmic practices with the Common Services Agency (NHS National Services Scotland) to ensure accurate payment of all claims from General Ophthalmic Services contractors.
  • Shared by the Common Services Agency (NHS National Services Scotland) with NHS Scotland Counter Fraud Services (hosted by the Common Services Agency (NHS National Services Scotland)) for the prevention, detection and investigation of crime, but only when a patient, optometrists or other worker in the practice has been identified as potentially committing fraud.
  • Shared by the Common Services Agency (NHS National Services Scotland) with NHS Boards to ensure accurate payment, undertake payment verification and in respect of clinical governance for all treatment provided to patients in that NHS Board area.
  • Shared by the Common Services Agency (NHS National Services Scotland) with UK regulatory bodies such as the General Optical Council or General Medical Council for professional regulation, but only data relating to specific patients provided services by someone under investigation by a regulatory body.

Patient Ophthalmic Records

  • Shared by Ophthalmic practices with the Common Services Agency (NHS National Services Scotland) for payment verification purposes in accordance with obligations under both the Data Protection Act 2018/GDPR and the GOS Regulations but only when requested by the Common Services Agency (NHS National Services Scotland).

Patient demographic data only – no treatment information

  • Shared by the Common Services Agency (NHS National Services Scotland) with the NHS Business Services Authority for the prevention, detection and investigation of crime, but only in respect of sampling claims from full help with health costs or limited help with health costs.
  • Shared by the Common Services Agency (NHS National Services Scotland) with the Department of Work and Pensions for the prevention, detection and investigation of crime but only in respect of sampling exemption claims from any relevant patient charges.
  • Shared by the Common Services Agency (NHS National Services Scotlandwith HM Revenue and Customs for the prevention, detection and investigation of crime but only in respect of sampling exemption claims from any relevant patient charges.
  • Shared by the Common Services Agency (NHS National Services Scotland) with the Home Office for the prevention, detection and investigation of crime, but only data for specific patients who are subject to enquires by NHS Scotland healthcare providers or by the Home Office for proscribed offences and/or for recovery of monies, in respect of receipt of NHS Scotland treatment and services as an overseas visitor (non-EEA foreign national).

Patient demographic data and cost of prescriptions only – no prescription drug information

  • Shared by the Common Services Agency (NHS National Services Scotland) with Audit Scotland for the prevention, detection and investigation of crime, but only for data matching exercises to identify public sector employees who make inappropriate claims for exemption.

Optometric Data from the National Primary Care Clinicians Database (NPPCD)

  • Shared by NHS Boards with the Common Services Agency for Optometrists (OPTOMS) and Ophthalmic Medical Practitioners (OMPs) to be added to the Performers List. Health Boards are then responsible as Data Controllers for maintaining information on NPCCD for the Health Board.
  • Shared by NHS National Education for Scotland (NES) with the Common Services Agency (National Services Scotland) to provide details of the mandatory competency training which OPTOMs/ OMPs must undertake and maintain if they are to join and remain on the Ophthalmic List.
  • Shared by the Common Services Agency (NHS National Services Scotland) with NSS Digital & Security Strategic Business Unit to facilitate the extraction and onward feeding of data from NPCCD to other systems.

Other information we share

Including health boards, integrated joint health boards suppliers; employees; (including of other organisations) board and committee members; complainants; professional experts and consultants; family health services contractors; residents in care homes; public sector body service providers or their users; landlords; registered charities and carers.

Personal details; family details; education, training and employment details; financial details; goods and services; lifestyle and social circumstances; visual images, personal appearance and behaviour; details held in the patients record; responses to surveys; racial and ethnic origin; offences and alleged offences; criminal proceedings, outcomes and sentences; trade union membership; physical or mental health details; religious or similar beliefs and sexual life

  • Shared by the Common Services Agency (NHS National Services Scotland) Counter Fraud Services with data subjects themselves; Associates and representatives of the person whose personal data we are processing; staff, including of other organisations; healthcare, social and welfare organisations; suppliers; service providers; legal representatives; auditors and audit bodies; debt collection and tracing agencies; professional advisers and consultants; business associates; police forces; other law enforcement agencies; central and local government; Crown Office and Procurators Fiscal Service for the prevention, detection and investigation of fraud or other irregularities in relation to the Health Service or Scottish public sector, when gathering intelligence, pursuing reasonable lines of enquiry in an investigation, following receipt of an allegation, intelligence report or product or commencement of a proactive investigation or exercise.

Joint controllers (Practitioner Services and NHS Boards)

Routine use and sharing of personal data takes place in support of the services defined within the Partnership Agreement between Practitioner Services and NHS Boards. This includes sharing for purposes such as:

  • Registration and removal of patients from appropriate contractor practice lists and maintaining accurate patient demographic and health data;
  • Transfer and securely store both paper and electronic patient (Docman) record. GP practices are also joint data controllers with NHS Boards as per the attached Memorandum of Understanding for the electronic patient records (EPR) held in their GP IT system;
  • Ensure data quality is subject to regular review and assessment;
  • Assigning patients to practices on behalf of NHS Boards where necessary;
  • Making payments to Primary Care contractors in accordance with agreed payment schedules;
  • Providing accurate and timely information to NHS Boards and Scottish Government on payments made in accordance with agreed schedules and maintaining appropriate controls over the payment process;
  • Carrying out payment verification in line with current guidelines to satisfy NHS Board management/audit requirements;
  • Assisting in the reduction of fraud in Primary Care through continued close liaison and the development of appropriate strategies with NHS Counter Fraud Services;
  • Carrying out and reporting on Scottish Dental Reference Service examinations as part of our role to provide assurance to the Scottish Dental Practice Board and work with NHS Boards in resolving any financial or clinical performance issues identified.

Any request from either Practitioner Services or an NHS Board for sharing of personal data beyond the scope of the Partnership Agreement will be considered first by the relevant parties' Information Governance Group. It will only be approved once the Group is satisfied that all necessary steps to ensure data protection compliance have been taken.

Document Control Information

Version: 1.6 Date: 16th April 2024

Revision History: Initial publish on the NSS web platform www.nss.nhs.scot

  • Version 1.5 - 25th September 2023
  • Version 1.4 - 3rd February 2023
  • Version 1.3 - 12th September 2022
  • Version 1.2 - 18th May 2022
  • Version 1.1 - 21st March 2022
  • Version 1.0 - 13th September 2021
Contents