Data Protection

GDPR is Europe's new framework for data protection laws. It replaces the previous 1995 data protection directive, which current UK law is based upon. The new regulation starts on 25 May 2018. We take your privacy very seriously. Have a look at what we're doing with your personal information and how we're keeping it secure.

  1. Legal basis
  2. Data collection, use and retention
  3. Data security
  4. Codes of conduct and privacy policies
  5. Your rights
  6. What information is shared - pharmacy
  7. What information is shared - dental
  8. What information is shared - medical
  9. What information is shared - opthalmic
  10. Other information we share

Legal basis

Who is the Data Controller?

Practitioner Services is the business unit within NHS National Services Scotland (NSS) which has direct engagement in data flows with primary care contractors, and manages the Scottish Infected Blood Support Scheme. NHS NSS is a public organisation created in Scotland under Section 10 of the National Health Service (Scotland) Act 1978. NSS is the common name of the Common Services Agency for the Scottish health Service.

Our legal basis for using personal information

To provide our services we need to collect, use and store personal information. This includes the collection, validation, processing and storage of health and demographic data relating to primary care services received by patients either residing in or accessed in Scotland.

When using personal information our legal basis is that its use is necessary for:

  • the performance of a task carried out in the public interest, or in the exercise of official authority vested in us;
  • the provision of health or social care or treatment or the management of health or social care systems and services.

On some occasions we may rely on another basis, which will usually be that the use is necessary:

  • for reasons of public interest in the area of public health; or
  • for reasons of substantial interest for aims that are proportionate and respect people’s rights, for example research; or
  • in order to protect the vital interests of an individual.

The functions of NSS are further defined in the Functions of the Common Services Agency Order 2008 and the National Health Service (Functions of the Common Services Agency) (Scotland) Amendment Order 2014.

These statutory instruments set out the legal basis for NSS to provide services within NHS Scotland and the wider Scottish public sector, as directed by Scottish Ministers.

Other Regulations and statutory instruments either directly identify NSS as carrying out a function or identify a NHS Board/Scottish Dental Practice Board as having that function which is then discharged on behalf of that organisation by NSS acting under the Functions Order (as amended).

The main Regulations which operate in the primary care environment in NHS Scotland are:

Data collection, use and retention

What personal information do we use?

We use personal information on:

  • Patients residing in or receiving services from NHS Scotland
  • Primary care contractors (dentists, GPs, pharmacists, optometrists) or their staff providing services to patients in NHS Scotland.

What personal information is collected?

Demographic information

  • Current and previous surnames, forenames
  • Gender
  • Date of birth
  • Community Health Index (CHI) numbers
  • Residential addresses relating to patients

Health information

  • GP medical records
  • Dental treatment applied for or provided under the General Dental Service or Public Dental Services
  • Eye examinations
  • Prescription data, records of drugs prescribed and dispensed by Community Pharmacies
  • Records of patient registration with primary care contractors who accept the patients under their care

Primary care contractor information

  • Surnames, forenames
  • Gender
  • Date of birth
  • Professional Registration Number
  • Bank details
  • E-mail address
  • Telephone number
  • Residential address

The information is used to provide remuneration to the primary care contractors for the services provided to the patient, for example remuneration of drugs, dental and ophthalmic services.

GP medical record information is transferred by NSS when patients move GP practices.

Our systems may make automated decisions in respect of payment authorisation, patient data matching/updating, dental treatment approval workflows or audit sampling. Where this is done it is based on predefined business rules and criteria which are regularly reviewed. 

National datasets, including the CHI, created and maintained by the processing of transactional data and are more widely used within NHS Scotland for the purposes of clinical governance, service monitoring, financial management and planning.

How is personal information collected?

NSS Practitioner Services operates a number of paper and IT systems which collect data from primary care contractors.

Where IT systems are operated, these interface with the local systems operated by the primary care contractors and data is transmitted over secure networks.

Paper collection is through secure, contracted couriers or through local NHS Board provided transport systems.

Where is the personal information stored?

Data on paper is stored in NSS’s secure office premises within Scotland or in our third party archive store located in Scotland.

Data stored electronically is held within secure data centres located within Scotland and is not held outwith the UK.

How is the accuracy of personal information ensured?

Much data is captured electronically as directly entered to local systems by primary care contractors. NSS Practitioner Services carries out a series of data validation processes to ensure the data is of sufficiently high quality to process. Rejected and processed data is reported back to the primary care contractor for review. In addition, Practitioner Services operate a number of post processing verification processes to further assure data quality including data quality reviews, post-payment verification, internal and external audits.

What personal information is shared, with whom, and in what circumstances?

Personal information is shared only when it is lawful to do so. NSS operates principally on the basis that data processed by Practitioner Services is received on a statutory legal basis, not on the basis of consent.

When patients access primary care services, they sign a form which in part is a data protection notice explaining to patients how their data may be lawfully shared. In addition Practitioner Services publishes a patient leaflet which goes into further detail. To further increase the transparency of data sharing arrangements, Practitioner Services has published a patient information leaflet and matrix detailing what information is shared, when and why in (see sections 6-10).

Finally, where necessary, we have documented Information Sharing Agreements which are subject to scrutiny and approval of senior managers in NSS and partner organisations.

What other purposes might the personal information be used for?

Personal information may be anonymised or pseudo-anonymised by NHS Scotland for research purposes. These processes mean that data can no longer be identified to a named patient.

Personal information may be released to tribunals, hearings or other disciplinary or investigative processes in respect of professional bodies regulating primary care contractors.

Personal information may be released to Police Scotland, other police organisations or other organisations who have statutory powers in the prevention or detection of crime.

Are any third parties involved in the processing of personal information?

  • Nationally and locally appointed couriers, NHS Board transport services and the Royal Mail are used for processing paper records
  • RSS/Oasis is used for archive storage of paper records
  • ATOS, who hold the NHS Scotland national IT contract and their sub-contractors in respect of IT systems

Transfers outwith the UK

Data flows from primary care practitioners to NSS Practitioner Services do not flow outwith the UK. NSS does not store or process data outwith the UK.

How long is data retained for?

The retention of data varies depending on the nature of the data involved. Practitioner Services comply with the Scottish Government’s code of practice on the retention of clinical and administrative records and local NSS policies.

Read the Scottish Government's code of practice (external site)

Data security

What IT systems are involved?

NSS operates bespoke and off-the-shelf IT systems which are owned and operated by NSS and Atos the National IT contract supplier. NSS uses the NHSMail service provided by Accenture for email services.

Within Practitioner Services, the main systems are:

  • GMS – CHI, Partners, MedEx, Barex, PMSPS
  • Pharmacy – Scanning, ICR, DCVP, PIS
  • Dental – Scanning, iDent, EDI, eDental, PARS, MIDAS, data warehouse
  • Optometry – Scanning, iDent, eOphthalmic, OPTIX, Data warehouse

What safeguards are in place?

Physical access controls are operated at NSS premises, third party storage facilities and data centres such as swipe access control systems, security guards, CCTV, locked cupboards and rooms.

IT systems are secured by firewalls, secure networks, usernames/passwords including two factor authentication where required and encryption of data in flight and at rest.

How is access to data controlled?

User access to Practitioner Services systems is authorised by key personnel, reviewed regularly to ensure that access is commensurate with operational need. User access is revoked when staff leaves the organisation or change role. User access processes are audited annually by external auditors. Passwords are required to be changed regularly in line with the NHS Scotland password standard.

Codes of conduct and privacy policies

Our staff have a legal and contractual duty to keep personal health information secure and confidential. In addition, some professionally registered staff/workers are required to comply with standards set by their professional bodies.

Each member of staff/worker is required to read and sign the confidentiality statement on an annual basis. All staff/workers must undergo information governance training on a two-yearly basis.

Patient privacy/data protection notices

Patient privacy/data protection notices are contained in forms (or their electronic equivalent) that patients are required to sign when registering with/receiving treatment from a primary care contractor.

These data protection notices do not seek the consent of the patient for their data flow to NSS since the legal basis of that sharing is not consent, it is required by the statutory framework referred to in our legal basis section.

Your rights

GDPR is Europe's new framework for data protection laws. It replaces the previous 1995 data protection directive, which current UK law is based upon.

The new regulation starts on 25 May 2018. Data protection law governs the use of personal information and gives you the right:

The right to be informed

Patients have a right to be informed about how we use personal information. We use a number of ways to do this, including: 

  • Data Protection Privacy Notices contained in forms (or their electronic equivalent) which patients are required to sign when registering with/receiving treatment from a primary care contractor
  • Patient Information leaflet
  • Discussions with staff providing your care

Primary Care contractors have a right to be informed how we use their personal information.  This is done through this Data Protection Privacy Notice.

The right of access

You have a right to see, or have a copy of, the information we hold about you. This right includes making you aware of what information we hold along with the opportunity to satisfy you that we are using your information fairly and legally. You have the right to obtain:

  • Confirmation that your personal information is being held or used by us
  • Access to your personal information
  • Additional information about how we use your personal information

If you would like to access your personal information, you can do this by contacting the NSS Data Protection Officer at the address below:

NSS Data Protection Officer, Gyle Square, 1 South Gyle Crescent, Edinburgh EH12 9EB

Telephone: 0131 275 6000

Email: nss.dataprotection@nhs.net

The right to rectification

If the personal information we hold about you is inaccurate or incomplete you have the right to have this corrected.

If it is agreed that your personal information is inaccurate or incomplete we will aim to amend your records accordingly, normally within one month, or within two months where the request is complex. Unless there is a risk to patient safety, we can restrict access to your records to ensure that the inaccurate or incomplete information is not used until amended.

If for any reason we have shared your information with anyone else, we will notify them of the changes required so that we can ensure their records are accurate.

If on consideration of your request we do not consider the personal information to be inaccurate then we will add a comment to your record stating your concerns about the information. If this is case we will contact you within one month to explain our reasons for this.

If you are unhappy about how we have responded to your request for rectification we will provide you with information on how you can complain to the Information Commissioner’s Office, or how to take legal action.

The right to object

You have the right to object to our use of personal information about you, and also seek that further processing of personal information about you is restricted. 

We provide a number of functions on a national basis. These are described in the Functions of the Common Services Agency Order 2008 (external link).

We receive claims along with the personal data about treatment given for the purpose of authorising and making payments to Primary Care Contractors under Regulations and statutory powers.

Patients do not have a right of opt-out to the collection and processing of personal data for services provided by NHS Scotland primary care contractors: it is a requirement of the various Regulations referred to earlier that data is collected, processed and shared in a lawful manner. It is for that reason that the privacy notices on primary care forms do not seek consent or opt-in/outs since consent is not the basis of the processing.

In most instances, data held by NSS Practitioner Services is held on a statutory basis and the deletion of the data is not possible since to do so would compromise either NSS to be able to fulfil one of its statutory functions or the function of another NHS Scotland Board or organisation.

For example, the deletion of patients from CHI is not possible since to do so would risk patient mis-identification and also mean that statutory functions such as immunisation and other public health functions placed upon NHS Boards could not be delivered.

Where data is incorrect, that data can be corrected either directly or noted as incorrect (e.g. a historic record of treatment cannot be directly updated). Within GP records, patients may wish that part of their medical history be deleted, but that may be at odds with a statutory requirement and may compromise the NHS’s ability to provide safe and effective care. Such deletion requests would require the agreement of senior medical personnel in the relevant NHS Board if it were to be actioned.

The right to complain

NHS NSS employ a Data Protection Officer to check that we handle personal information in a way that meets data protection law.  If you are unhappy with the way in which we use your personal information please tell our Data Protection Officer using the contact details.

NSS Data Protection Officer, Gyle Square, 1 South Gyle Crescent, Edinburgh EH12 9EB

Telephone: 0131 275 6000

Email: nss.dataprotection@nhs.net

You also have the right to complain about how we use your personal information to the Information Commissioner’s Office (ICO).  Details about this are on their website at www.ico.org.uk

Other rights

There are other rights under current data protection law, however these rights only apply in certain circumstances. If you wish further information on these rights please look at the data protection pages on the NHS NSS website.

What information is shared - pharmacy

What is shared Who is it shared by Who is it shared with Why When
All data on prescription (both paper and electronic) Community Pharmacies Common Services Agency (NHS National Services Scotland) Accurate payment All prescriptions
All data on prescription (both paper and electronic) Common Services Agency (NHS National Services Scotland) Common Services Agency (NHS National Services Scotland) Prevention, Detection and investigation of Crime.  NSS hosts NHS Scotland Counter Fraud Services Only when a patient, or dispensing contractor (community pharmacy, dispensing doctor, a specialist appliance supplier and stoma provider) has been identified as potentially committing fraud
Patient demographic data only – no prescription information Common Services Agency (NHS National Services Scotland) NHS Business Services Authority Prevention, Detection and investigation of Crime Only in respect of sampling claims from full help with health costs or limited help with health costs. 
Patient demographic data only – no prescription information Common Services Agency (NHS National Services Scotland) Department of Work and Pensions Prevention, Detection and investigation of Crime Only in respect of sampling claims from full help with health costs or limited help with health costs. 
Patient demographic data only – no prescription information Common Services Agency (NHS National Services Scotland) HM Revenue and Customs Prevention, Detection and investigation of Crime Only in respect of sampling claims from full help with health costs or limited help with health costs. 
All data on prescription (both paper and electronic) Common Services Agency (NHS National Services Scotland) Community Pharmacy Scotland Accurate payment All prescriptions
All data on prescription (both paper and electronic) Common Services Agency (NHS National Services Scotland) Local Authorities Provision of social care services Only prescriptions of patients receiving social care where this is requested to be shared
All data on prescription (both paper and electronic) Common Services Agency (NHS National Services Scotland) NHS Boards Accurate payment. Clinical Governance  All prescriptions prescribed in or dispensed in that NHS Board area
All data on prescription (both paper and electronic) Common Services Agency (NHS National Services Scotland) UK Regulatory Bodies such as the General Medical Council and General Pharmaceutical Council Professional Regulation Only prescriptions of specific patients who have received a prescription from someone under investigation by a Regulatory Body
All data on minor ailment service or chronic registration service forms, or in respect of enhanced services Community Pharmacies Common Services Agency (NHS National Services Scotland)  Accurate payment All patients registered or receiving services under these schemes

What information is shared - dental

What is shared Who is it shared by Who is it shared with Why When
All data on general dental or orthodontic treatment plan or claim form (both paper and electronic) as well as any X-rays and models submitted. Dentists Common Services Agency (NHS National Services Scotland) Treatment authorisation, patient registration with the dentist and accurate payment All dental claims from General Dental Services
Patient Dental Records  Dental practices Common Services Agency (NHS National Services Scotland) Payment Verification purposes. Obligation under both the Data Protection Act 2018/GDPR and the GDS Regulations When requested by Common Services Agency (NHS National Services Scotland).
All data on general dental or orthodontic treatment plan or claim form (both paper and electronic) as well as any X-rays and models submitted. NHS Boards Common Services Agency (NHS National Services Scotland) Treatment authorisation, patient registration with the Public Dental Service and activity recording All dental claims from Public Dental Service
All data on general dental or orthodontic treatment plan or claim form (both paper and electronic) as well as any X-rays and models submitted. Common Services Agency (NHS National Services Scotland) Common Services Agency (NHS National Services Scotland) Prevention, Detection and investigation of Crime.  NSS hosts NHS Scotland Counter Fraud Services Only when a patient or dentist has been identified as potentially committing fraud
Patient demographic data only – no treatment information Common Services Agency (NHS National Services Scotland) NHS Business Services Authority Prevention, Detection and investigation of Crime Only in respect of sampling claims from full help with health costs or limited help with health costs
Patient demographic data only – no treatment information Common Services Agency (NHS National Services Scotland) Department of Work and Pensions Prevention, Detection and investigation of Crime Only in respect of sampling exemption claims from any relevant patient charges
Patient demographic data only – no treatment information Common Services Agency (NHS National Services Scotland) HM Revenue and Customs Prevention, Detection and investigation of Crime Only in respect of sampling exemption claims from any relevant patient charges
Patient demographic data and cost of prescriptions only – no prescription drug information Common Services Agency (NHS National Services Scotland) Audit Scotland Prevention, Detection and investigation of Crime Data matching exercise to identify public sector employees who make inappropriate claims for exemption
Patient demographic data and cost of treatment only – no specific treatment information Common Services Agency (NHS National Services Scotland) Home Office Prevention, Detection and investigation of Crime Only treatment costs for specific patients who are subject to enquires by NHS Scotland healthcare providers or by the Home Office for proscribed
offences and/or for recovery of monies, in respect of receipt of NHS Scotland treatment and services as an overseas visitor (non-EEA foreign national)
All data on general dental or orthodontic treatment plan or claim form (both paper and electronic) as well as any X-rays and models submitted. Common Services Agency (NHS National Services Scotland) NHS Boards Accurate payment. Clinical Governance  All treatment provided in to patients in that NHS Board area
All data on general dental or orthodontic treatment plan or claim form (both paper and electronic) as well as any X-rays and models submitted. Common Services Agency (NHS National Services Scotland) UK Regulatory Bodies such as the General Dental Council Professional Regulation Only claims, treatment and records for specific patients who have received dental treatment from someone under investigation by a Regulatory Body
Results of SDRS examinations Common Services Agency (NHS National Services Scotland) NHS Boards, the patient's dentist, the patient Clinical governance All patients who have been examined by the SDRS
Data on named practitioner earnings. Common Services (NHS National Services Scotland) HM Revenue & Customs (HRMC) HMRC statutory functions relating to tax collection. Annually
Data on named practitioners. Common Services Agency (NHS National Services Scotland) NHS Digital

Official Statistics and Review Body on Doctors’ and Dentists’ Remuneration’s annual reports.

Use by stakeholders in pay and contract negotiations.
Annually on request by NHS Digital

What information is shared - medical

What is shared Who is it shared by Who is it shared with Why When
All data on GP practice registration form (electronic) General Medical Practices Common Services Agency (NHS National Services Scotland) Community Health Index and Accurate payment All GPR forms from all General Medical Practices in Scotland
All data on prescription (electronic) General Medical Practices Common Services Agency (NHS National Services Scotland) To support accurate dispensing of the prescription All prescriptions
All data on GP practice registration form (electronic) Common Services Agency (NHS National Services Scotland) Common Services Agency (NHS National Services Scotland) Prevention, Detection and investigation of Crime.  NSS host NHS Scotland Counter Fraud Services Only when a patient, GP or other worker in the GP practice has been identified as potentially committing fraud
Patient demographic data from the GP Practice registration form Common Services Agency (NHS National Services Scotland) Home Office Prevention, Detection and investigation of Crime Only data for specific patients who are subject to enquires by NHS Scotland healthcare providers or by the Home Office for proscribed offences, in respect of receipt of NHS Scotland treatment and services as an overseas visitor (non-EEA foreign national)
All data on GP practice registration form (electronic) as held on CHI Common Services Agency (NHS National Services Scotland) NHS Boards Accurate payment, Clinical Governance, Public Health, Screening Services All data relating to all patients registered with General Medical Practices in that NHS Board area
All data on GP practice registration form (electronic) as held on CHI Common Services Agency (NHS National Services Scotland) UK Regulatory Bodies such as the General Medical Council  Professional Regulation Only data relating to specific patients registered by someone under investigation by a Regulatory Body
GP medical records (paper and electronic) for patients who are moving to another practice or have left the UK or have died. General Medical Practices Common Services Agency (NHS National Services Scotland) To transfer to the next registered GP practice or to retain in secure storage Whenever a patient leaves a GP practice or dies
GP temporary medical records (paper and electronic) for patients who have been seen by someone other than their registered GP practice General Medical Practices Common Services Agency (NHS National Services Scotland) To transfer to the registered GP practice or to retain in secure storage Whenever a patient is seen by a GP practice other than the one they are registered with
 Patient demographic data and choice of organ donation Common Services Agency (NHS National Services Scotland) NHS Blood and Transplant Maintenance of the UK organ donor register Whenever a patient decides to provide organ donation information via the GP registration form
Patient demographic data from the GP Practice registration form Common Services Agency (NHS National Services Scotland) NHSCR/General Registers Office Maintenance of NHSCR  dataset

Demographic data for all patient is shared in order to keep the NHSCR dataset in line with CHI. The NHSCR dataset is used to identify which patients are in which NHS Boards, and which have left Scotland to other parts of the UK.

Patient Demographic data  is also shared from NHS National Serviced Scotland Information Serviced Division (ISD) with the GRO once a year for the purpose of  tracking population movements.

Data on named practitioner earnings. Common Services (NHS National Services Scotland) HM Revenue & Customs (HRMC) HMRC statutory functions relating to tax collection. Annually
Data on named practitioners. Common Services Agency (NHS National Services Scotland) NHS Digital

Official Statistics and Review Body on Doctors’ and Dentists’ Remuneration’s annual reports.

Use by stakeholders in pay and contract negotiations.
Annually on request by NHS Digital

What information is shared - opthalmic

What is shared Who is it shared by Who is it shared with Why When
All data on General Ophthalmic Service or Hospital Eye Service claim form (both paper and electronic) Opthalmic practices Common Services Agency (NHS National Services Scotland) Accurate payment All  claims from General Ophthalmic Services contractors
Patient Ophthalmic Records Opthalmic practices Common Services Agency (NHS National Services Scotland) Payment Verification purposes. Obligation under both the Data Protection Act 2018/GDPR and the GOS Regulations When requested by Common Services Agency (NHS National Services Scotland).
All data on GOS/HES  form (both paper and electronic) Common Services Agency (NHS National Services Scotland) Common Services Agency (NHS National Services Scotland) Prevention, Detection and investigation of Crime.  NSS hosts NHS Scotland Counter Fraud Services Only when a patient, optometrists or other worker in the practice has been identified as potentially committing fraud
Patient demographic data only – no treatment information Common Services Agency (NHS National Services Scotland) NHS Business Services Authority Prevention, Detection and investigation of Crime Only in respect of sampling claims from full help with health costs or limited help with health costs
Patient demographic data only – no treatment information Common Services Agency (NHS National Services Scotland) Department of Work and Pensions Prevention, Detection and investigation of Crime Only in respect of sampling exemption claims from any relevant patient charges
Patient demographic data only – no treatment information Common Services Agency (NHS National Services Scotland) HM Revenue and Customs Prevention, Detection and investigation of Crime Only in respect of sampling exemption claims from any relevant patient charges
Patient demographic data and cost of prescriptions only – no prescription drug information Common Services Agency (NHS National Services Scotland) Audit Scotland Prevention, Detection and investigation of Crime Data matching exercise to identify public sector employees who make inappropriate claims for exemption
Patient demographic data only – no treatment information Common Services Agency (NHS National Services Scotland) Home Office Prevention, Detection and investigation of Crime Only data for specific patients who are subject to enquires by NHS Scotland healthcare providers or by the Home Office for proscribed offences and/or for recovery of monies, in respect of receipt of NHS Scotland treatment and services as an overseas visitor (non-EEA foreign national)
All data on GOS/HES  form (both paper and electronic) Common Services Agency (NHS National Services Scotland) UK Regulatory Bodies such as the General Optical Council or General Medical Council Professional Regulation Only data relating to specific patients provdied services by someone under investigation by a Regulatory Body

Other information we share

Including health boards, integrated joint health boards suppliers; employees; (including of other organisations) board and committee members; complainants; professional experts and consultants; family health services contractors; residents in care homes; public sector body service providers or their users; landlords; registered charities and carers

What is shared Who is it shared by Who is it shared with Why When
Personal details; family details; education, training and employment details; financial details; goods and services; lifestyle and social circumstances; visual images, personal appearance and behaviour; details held in the patients record; responses to surveys; racial and ethnic origin; offences and alleged offences; criminal proceedings, outcomes and sentences; trade union membership; physical or mental health details; religious or similar beliefs and sexual life Common Services Agency (NHS National Services Scotland) Counter Fraud Services Data subjects themselves; Aasociates and representatives of the person whose personal data we are processing; staff, including of other organisations; healthcare, social and welfare organisations; suppliers; service providers; legal representatives; auditors and audit bodies; debt collection and tracing agencies; professional advisers and consultants; business associates; police forces; other law enforcement agencies; central and local government; Crown Office and Procurators Fiscal Service Prevention, detection and investigation of fraud or other irregularities in relation to the Health Service or Scottish public sector When gathering intelligence, pursuing reasonable lines of enquiry in an investigation, following receipt of an allegation, intelligence report or product or commencement of a proactive investigation or exercise