Data protection

  1. How we protect personal information
  2. How we use and share personal information
  3. Contact us and access your personal information
  4. National Fraud Initiative 2016-17
  5. Report a concern

How we protect personal information

The Data Protection Act 1998 protects your rights in relation to how your personal information is used. Our staff have a duty to keep your personal information secure, and to handle confidential information safely.

Personal information is any details that identify you, including your:

  • name
  • address
  • date of birth
  • postcode
  • clinical information.

We've an individual known as a ‘Caldicott Guardian’ whose job is to make sure that patient information is handled properly. We also have a Privacy Advisor whose job is to monitor how we use personal information.

We take care to make sure your personal information isn't given to any unauthorised people.

NSS entry in the Information Commissioner's Register of Data Controllers

To comply with the law, we've registered with the Information Commissioner's Office (ICO). Our register entry can be viewed at the Information Commissioner's website (external link).

Search using 'NHS National Services Scotland' in the 'Name' field.

How we use and share personal information

We use and share personal information to run our services.

If you wish to find out more about how NSS use personal information, a privacy notice leaflet (PDF) is available to view.

Download the privacy notice leaflet (PDF 583 KB)


Better blood products

The personal information we hold in order to provide specialist transfusion medicine in Scotland includes contact details and relevant health information on blood and tissue donors.

For more information on how we supply high quality blood, tissues, products and services across the country please visit the Scot Blood website (external link).

Protecting public health

The personal information we hold to protect the Scottish public from being exposed to infectious and environmental hazards includes personal and health information, as well as information on risks and travel history.

For more information on how we protect the Scottish public in this way, please visit the Health Protection Scotland (HPS) website (external link)

Screening and specialist services

We commission and manage national screening programmes and specialist clinical services on behalf of NHSScotland. We do occasionally use some personal information in order to ensure that Scottish residents get access to highly specialised services in Scotland, wider UK NHS and abroad when appropriate.

We also deliver specialist technical guidance, support and advice on healthcare buildings and equipment. As part of this work, we hold personal and health information on patients using oxygen in their own home.

For more information on screening and specialist services please visit the Health Facilities Scotland website (external link) and National Services Division website (external link).

Enabling better procurement

We are the NHSScotland's centre of procurement expertise. The personal information we hold to do this includes business and contact details on contractors and possible contractors; contact details on NHS staff and clients who are involved in buying products; and personal information and contact details on patients.

For more information on our procurement please visit our NHS National Procurement website (external link).

Supporting better decision-making

Since the start of the NHS, staff who provide care or treatment have collected data about patients in order to provide better care. As Scotland's national organisation for health information and statistics, we have led the collection and analysis of that data for almost 40 years.

To help us in this work we use personal and health information on patients treated throughout the Scottish health service. We also collect and interpret information on the people working for the health service, and information on finances. This information is provided to us by NHS and care organisations. The statistical information and analysis we produce using this data supports the daily business of the Scottish health service, helping it make the right decisions for patients.

Visit the Information Services Division website (external link)

The Scottish Health Service Centre (SHSC) (external link) provides a range of professional services and resources to support training and learning in the NHS. To support this work, the personal information we hold includes business and contact details of our customers, people who visit and utilise the SHSC conference centre, delegates attending conferences organised by our events team, users of the library service and details of medical, dental and health professionals held on the various systems we manage as part of our committee service function.

Ensuring quality local treatment

A key service we provide is paying General Practitioners (GPs), dentists, opticians and pharmacists accurately and on time for the treatment they provide to the public. We also help patients find a GP or dentist or register for new pharmacy services. We register and update patient information on the Community Health Index (CHI) database, and transfer medical records between GP practices, so that GPs can give patients the best care. We also act as the agent of the Scottish Dental Practice Board which oversees the work of NHS dentists in Scotland. We pay dentists, approve treatment plans, and oversee the quality of dental care and treatment on its behalf.

The personal information we hold on patients to do this range of work includes name, address, date of birth and Community Health Index (CHI) Number, and whether or not a person is an organ donor. It also includes treatment details provided by GPs, dentists, opticians and pharmacists as part of the payment process. The personal information we hold about GPs, dentists, opticians and pharmacists includes name, address, date of birth, professional registration number and their bank account details.

For more information on how we ensure quality local treatment please visit the practitioner section of our website.

Fighting fraud

To support this work, the personal information we hold includes business, contact and personal information about contractors and suppliers; personal information about NHS employees; a small amount of health information about NHS patients and people who would like to be NHS patients.

For more information on how we protect Scotland’s health from the impact of fraud please visit the Counter Fraud Services website (external link).

Supporting NHS technology

Our Information Technology services include the management and delivery of large-scale information and communications technology solutions to enable increased business capability and lower costs across Health and the broader public sector. Our portfolio of products includes:

Picture Archiving and Communications Systems (PACS) (internal to SWAN network only);
• the award-winning Emergency Care Summary (ECS) (internal to SWAN network only);
SCI Gateway (external link);
Scottish Health on the Web (SHOW) (external link)

The personal information we hold to do this includes business and contact details on contractors and possible contractors and contact details on NHS staff who develop and introduce information management and technology products. Sometimes, as part of this work, we hold personal and health information about patients, if this is needed by an NHS health-care provider. This helps information management and technology products to be used, and NHSScotland to run smoothly.

For more information on our Information Technology services please visit the Information Technology section of our website.

Legal advice for the public sector

Our Central Legal Office (CLO) provides a legal service to NHSScotland, and gives specialised and high-quality advice to the public sector in Scotland. To support this work, we use personal information such as the names and personal details of clients and people making a claim, which are used for legal and charging purposes. We also use personal health information and relevant medical records needed for legal purposes.

For more information please visit our CLO website (external link).

Supporting our own business

We also hold personal information on our staff, customers and suppliers. We use this information to carry out our responsibilities as an employer, and buyer and provider of goods and services.

More information

More information about how NHS Scotland uses personal information is in the national factsheet available here - Confidentiality. How the NHS protects your personal health information (external link).


Contact us and access your personal information

Within NSS, we’ve 2 representatives who make sure we use and share your information safely and who you can contact if you have a question.

They're our Privacy Advisor, who monitor how we use it - and our Caldicott Guardian, a senior person who oversees our policies on the use and sharing of patient information.

Contact our Privacy Advisor

Patricia Ruddy, Privacy Advisor

Phone: 0131 275 6744


Contact our Caldicott Guardian

Dr Lorna Ramsay, Caldicott Guardian

Phone: 0131 275 6917



How to access your personal information

If you wish to know what personal information we hold about you, you can apply for access using our data protection subject access request form.

Download the access form (PDF 184KB)


You've a right to know whether we hold any information about you and the right to:

  • a copy of it
  • know the reason why we keep it
  • know how we use it
  • know how we use it
  • know who gave it to use
  • know who we might share it with

You can access your information, or someone else’s on their behalf.

What you’ll need

To access information you’ll need to submit:

  • a complete subject access request form.
  • copies of 2 documents providing proof of identification and your current address

These can be your:

  • passport
  • driving licence
  • concessionary travel pass
  • recent utility bill
  • recent bank statement.

When you’ll get a response

We’ll respond to all requests within 40 days.


If you want to access personal information held about you by other NHSScotland organisations eg hospitals and GP Practices, please follow the advice on how to do this published by NHS Inform.

Visit the NHS Inform website (external link)

National Fraud Initiative 2016-17

National Services Scotland (NSS) is required by law to protect the public funds it administers. We may share information provided with other bodies responsible for auditing or administering public funds, in order to prevent and detect fraud.

On behalf of the Auditor General for Scotland, Audit Scotland appoints the auditor to audit the accounts of this Health board. It is also responsible for carrying out data matching exercises.

Data matching involves comparing computer records held by one body against other computer records held by the same or another body to see how far they match. This is usually personal information. Computerised data matching allows potentially fraudulent claims and payments to be identified but the inclusion of personal data within a data matching exercise does not mean that any specific individual is under suspicion. Where a match is found it indicates that there may be an inconsistency that requires further investigation. No assumption can be made as to whether there is fraud, error or other explanation until an investigation is carried out. The exercise can also help bodies to ensure that their records are up to date.

Audit Scotland currently requires us to participate in a data matching exercise to assist in the prevention and detection of fraud. We are required to provide particular sets of data to Audit Scotland for matching for each exercise, and these are set out in Audit Scotland’s instructions.

The use of data by Audit Scotland in a data matching exercise is carried out with statutory authority, normally under its powers in Part 2A of the Public Finance and Accountability (Scotland) Act 2000. It does not require the consent of the individuals concerned under the Data Protection Act 1998. Data matching by Audit Scotland is also subject to a Code of Practice.

Audit Scotland’s instructions, full text privacy notice and Code of Practice can be found on the Audit Scotland website (external link).

Alternatively, you can contact our NSS Fraud Liaison Officer Louise  Roberts by email ( or by telephone 0131 314 5590.

Contact the team

Report a concern

Got a concern about how we're handling your personal information? Here are your choices on how to report it:

Write to:

NSS Privacy Advisor
Gyle Square
1 South Gyle Crescent
EH12 9EB


If you're unhappy with our response, you can report it to the Information Commissioner's Office.

Information Commissioner’s Office Helpline

Phone: 0303 123 1113

You can also get full details (external site) on how to report a concern.