Data protection

We take your privacy very seriously. Have a look at what we're doing with your personal information and how we're keeping it secure.

How we use personal information

The Counter Fraud Services (CFS) is part of the strategic business unit, Practitioner & Counter Fraud Services within NHS National Services Scotland (NHS NSS). NSS is a public organisation created in Scotland under Section 10 of the National Health Service (Scotland) Act 1978.

NSS is the common name of the Common Services Agency for the Scottish Health Service. CFS provides counter fraud services to the various Health Boards and other entities that make up NHSScotland, as well as to other public sector organisations.

We are committed to protecting and respecting the privacy of individuals whose personal information is held and used by CFS and complying with its obligations under the General Data Protection Regulation (EU) 2016/679 (the GDPR) and the EU Data Protection Directive 2016/680 (Law Enforcement Directive (LED)) as transposed by Part 3 of the Data Protection Bill/Act 2018.

This data protection notice explains:

  • the types of personal information that we collect and process in relation to our function
  • how we obtain and use personal information
  • when we may disclose personal information to third parties

General details, including our legal basis for using personal information and how NSS handles personal information are available on the NSS data protection page.

What personal information is shared, with whom, and in what circumstances?

Personal and special category information (e.g. racial or ethnic origin, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation’) is shared only when it is lawful to do so. NSS operates principally on the basis that data processed by CFS is received on a statutory legal basis, not on the basis of consent.

When patients access primary care services, they sign a form which in part is a data protection notice explaining to patients how their data may be lawfully shared. To further increase the transparency of data sharing arrangements, we have detailed below what information is shared, when and why.

Finally, where necessary, we have documented Information Sharing Agreements which are subject to scrutiny and approval of senior managers in NSS and partner organisations.

Find out what information we share

Codes of conduct

Our staff have a legal and contractual duty to keep personal information secure and confidential. Each member of staff/worker is required to read and sign the confidentiality statement on an annual basis. All staff/workers must undergo information governance training on a two-yearly basis.

Your rights

Find out more about your rights in relation to the information about you used by NHS NSS (including CFS)

If you would like to access information about you which is held by CFS, or make any objection or other request in relation to CFS’ use of your information, you can do this by contacting:

NSS Data Protection Officer, Gyle Square, 1 South Gyle Crescent, Edinburgh EH12 9EB

Telephone: 0131 275 6000

E-mail: nss.dataprotection@nhs.net