How we use personal information

Take a closer look at our Information Sharing Agreements that are subject to scrutiny and approval of senior managers in NSS and partner organisations.

Types of data Collection Use Disclosure

Health Information:

  • All data on optometry claim  (both paper and electronic)
  • All data on prescription (both paper and electronic)
  • All data on dental claim (both paper and electronic)
  • All data on GP practice registration form (electronic)
  • Patient demographic data only – no treatment information
  • Patient demographic data and cost of prescriptions only – no prescription drug information

Personal Information:

  • personal details
  • family details
  • education, training and employment details
  • financial details
  • goods and services
  • lifestyle and social circumstances
  • complainants
  • visual images, personal appearance and behaviour,
  • responses to surveys
  • residents in care homes
  • landlords
  • carers

Special Category Information:

  • details held in the patients record
  • racial and ethnic origin
  • trade union membership
  • physical or mental health details
  • religious or similar beliefs
  • sexual life

Law Enforcement Information:

  • offences and alleged offences
  • criminal proceedings, outcomes and sentences

Other Organisations:

  • family health services contractors
  • professional experts and consultants
  • health boards, integrated joint health boards suppliers
  • employees (including of other organisations)
  • board and committee members
  • public sector body service providers or their users
  • registered charities

Information may be collected by CFS by means of data sampling of claims made by NHSScotland patients or other  individuals:

    • for full or partial help with health costs
    • has been identified as potentially committing fraud
    • exemption from relevant patient charges
    • subject to enquiries in respect of proper  entitlement to health care as an overseas visitor

Information may be provided to CFS by means of intelligence or information reports, either by telephone or online, and either by named individuals or organisations, in confidence, or anonymously.

Information may also be provided by the legal advisors or union representatives appointed by the individual to whom the information relates.

Information is used, to the extent necessary, for the prevention, detection and investigation of crime or other irregularities as part of the provision of a counter fraud service.

Information will also be used, to the extent necessary, to comply with our statutory and regulatory obligations.

We may disclose personal information to the following parties, in each case where CFS is required to do so, in connection with the prevention, detection and investigation of crime or the recoveries of relevant patient charges:

  • Home Office
  • the court or tribunal, whichever is relevant
  • the Crown Office & Procurators Fiscal Service
  • Business Services Authority
  • Audit Scotland
  • Department for Work and Pensions
  • Practitioner Services
  • HM Revenues and Customs
  • expert witnesses, where expert witnesses have been engaged by CFS, to allow the expert witnesses to provide their statement and/or testimony
  • factual witness, where such witness have witnessed an event or a course of behaviour, etc, but such disclosure will be limited to that required to allow the factual witnesses to provide their statement and/or testimony

We may also disclose personal data that it holds to the following parties, for the following specified purposes:

  • the Scottish Government or other relevant body, where this is required in connection with any fatal accident inquiry, public inquiry or other statutory inquiry
  • relevant professional regulatory bodies, such as the General Medical Council, the General Dental Council, the Nursing and Midwifery Council, etc., where this is required in required in order to comply with any statutory  or regulatory obligation
  • the police, upon receipt of a valid Section 29 request (or, after 25 May 2018, its equivalent under the GDPR)
  • external auditors where required in connection with any audit of CFS activities
  • service providers to CFS, e.g. IT providers, but such disclosure will be limited to that required for providing the relevant service and will only be effected with service providers who have entered into a contract with NSS in which robust data protection obligations and protections are contained
  • data subjects themselves; associates and representatives of the person whose personal data we are processing
  • staff, including of other organisations; healthcare social and welfare organisations
  • suppliers
  • service providers
  • legal representatives
  • auditors and audit bodies
  • debt collection and tracing agencies
  • professional advisers and consultants; business associates; police forces; other law enforcement agencies; central and local government