Data protection

  1. How we use personal information
  2. How to access your personal information
  3. Ask us a question
  4. National Fraud Initiative 2016-17
  5. Report a concern

How we use personal information

The Data Protection Act protects your rights in relation to how your personal information is used. Our staff have a duty to keep your personal information secure.

Personal information is any details that identify you, including your:

  • name
  • address
  • date of birth
  • postcode
  • clinical information.

We use and share it to run our services.

If you wish to find out more about how NSS use personal information, a privacy notice leaflet (PDF) is available to view.

Some of our services also publish more detailed information about this on their web pages.

More information about how NHS Scotland uses personal information is in the national factsheet available here - Confidentiality. How the NHS protects your personal health information.


NSS entry in the Information Commissioner's Register of Data Controllers

To comply with the law, NSS has registered with the Information Commissioner's Office (ICO). Our register entry can be viewed at the Information Commissioner's website.

Search using 'NHS National Services Scotland' in the 'Name' field.


How to access your personal information

You've a right to know whether we hold any information about you and the right to:

  • a copy of it
  • know the reason why we keep it
  • know how we use it
  • know who gave it to us
  • know who we might share it with.

You can access your information, or someone else’s on their behalf.

What you’ll need

To access information you’ll need to submit:

  • copies of 2 documents providing proof of identification and your current address.

These can be your:

  • passport
  • driving licence
  • concessionary travel pass
  • recent utility bill
  • recent bank statement.

The Subject Access Request form has full information on proof of identity documents.

When you’ll get a response

We’ll respond to all requests within 40 days.

If you want to access personal information held about you by other NHS Scotland organisations eg hospitals and GP practices, you need to make a request to them via NHS Inform. 

Visit the NHS Inform website (external link)

Ask us a question

Within NSS, we’ve 2 representatives who make sure we use and share your information safely and who you can contact if you have a question.

They're our Privacy Advisor, who monitor how we use it - and our Caldicott Guardian, a senior person who oversees our policies on the use and sharing of patient information.

Contact our Privacy Advisor

Patricia Ruddy, Privacy Advisor

Phone: 0131 275 6744


Contact our Caldicott Guardian

Professor Marion Bain, Caldicott Guardian

Phone: 0131 275 6325


If you wish to know what personal information we hold about you, you can apply for access using our data protection subject access request form.

Download the access form (PDF 184KB)

National Fraud Initiative 2016-17

National Services Scotland (NSS) is required by law to protect the public funds it administers. We may share information provided with other bodies responsible for auditing or administering public funds, in order to prevent and detect fraud.

On behalf of the Auditor General for Scotland, Audit Scotland appoints the auditor to audit the accounts of this Health board. It is also responsible for carrying out data matching exercises.

Data matching involves comparing computer records held by one body against other computer records held by the same or another body to see how far they match. This is usually personal information. Computerised data matching allows potentially fraudulent claims and payments to be identified but the inclusion of personal data within a data matching exercise does not mean that any specific individual is under suspicion. Where a match is found it indicates that there may be an inconsistency that requires further investigation. No assumption can be made as to whether there is fraud, error or other explanation until an investigation is carried out. The exercise can also help bodies to ensure that their records are up to date.

Audit Scotland currently requires us to participate in a data matching exercise to assist in the prevention and detection of fraud. We are required to provide particular sets of data to Audit Scotland for matching for each exercise, and these are set out in Audit Scotland’s instructions.

The use of data by Audit Scotland in a data matching exercise is carried out with statutory authority, normally under its powers in Part 2A of the Public Finance and Accountability (Scotland) Act 2000. It does not require the consent of the individuals concerned under the Data Protection Act 1998. Data matching by Audit Scotland is also subject to a Code of Practice.

Audit Scotland’s instructions, full text privacy notice and Code of Practice can be found on the Audit Scotland website (external link).

Alternatively, you can contact our NSS Fraud Liaison Officer Louise  Roberts by email ( or by telephone 0131 314 5590.

Contact the team

Report a concern

Got a concern about how we're handling your personal information? Here are your choices on how to report it:

Write to:

NSS Privacy Advisor
Gyle Square
1 South Gyle Crescent
EH12 9EB


If you're unhappy with our response, you can report it to the Information Commissioner's Office.

Information Commissioner’s Office Helpline

Phone: 0303 123 1113

You can also get full details on how to report a concern.