Privacy & Data Protection
NES' Privacy and Data Protection policy
How we use your personal data
NHS Education for Scotland (NES) holds and manages personal data for the administration and evaluation of training and education of healthcare professionals, for the employment of staff, for research and for pursuing related legitimate activities in support of our core purposes.
The NES Information Governance page explains how we will manage the processing of your personal data to ensure compliance with Data Protection principles.
Under the Data Protection Act 1998, NES is registered as a data controller with the Information Commissioner. This registration describes the kind of information we may hold about you, how it may be processed and with whom it may be shared. Our registration is Z7921413 which can be viewed at:
NES holds personal information in electronic systems such as computer records and databases as well as on paper files. Personal data will be held for no longer than necessary in line with our records retention policy.
Sensitive information and why it may be requested
Sensitive data is defined as that which relates to racial or ethnic origins, political opinions, religious beliefs, union membership, physical or mental health (including disabilities), sexual life, the commission or alleged commission of offences and criminal proceedings.
NES will only process personal data where it is necessary to carry out our role in health workforce development; for example in mandatory monitoring of equality and diversity, to ensure that NES is a safe place to work, or to ensure compliance with other legal obligations, such as the sick pay policy or equal opportunities policy. Any other use of sensitive data, for example in research, will only be with the express consent of the individuals concerned.
User Anonymity & Personal Information on SHOW and the NES website
NES are part of the SHOW network and use SHOW to host their site. Log files are maintained and analysed of all requests for files on the SHOW servers. Aggregated analyses of these log files are used to monitor website usage. These analyses are made available to NES to allow them to measure, for example, overall popularity of the site and typical user paths through the site.
In combination with other information which is not collected by SHOW but which may be collected by suppliers of network services, it may in certain situations be possible to identify an individual user's use of the NES website. SHOW does not collect the additional information required and will make no attempt to track or identify individual users, except where explicit consent for this is given or where there is a reasonable suspicion that unauthorised access to systems is being attempted. In the case of all users, SHOW reserves the right to attempt to identify and track any individual who is reasonably suspected of trying to gain unauthorised access to computer systems or resources operating as part of the SHOW service. As a condition of use of this site, all users must give permission for SHOW to use its access logs to attempt to track users who are reasonably suspected of gaining or attempting to gain unauthorised access.
All log file information collected by SHOW and passed onto NES is kept secure and no access to raw log files is given to any third party
NES does not store any information that would on its own allow us to identify individual users of this service without their permission. Any cookies that may be used by NES are used either solely on a per session basis or to maintain user preferences. Cookies are not shared with any third parties.
Sharing personal information
Depending on the purpose for which you provided your personal data in the first place, NES may be required to share some information with other organisations: for example the NHS Board that employs you, or relevant professional or regulatory bodies.
Together with other public sector bodies, NES provides payroll information for NES staff and some trainees to support the National Fraud Initiative. More information here.
NES will use personal information as described in our registration. Under no circumstances will NES supply your personal details to organisations other than those described in our registration (see below).
National Fraud Initiative
This authority is required by law to protect the public funds it administers. It may share information provided to it with other bodies responsible for auditing and administering public funds, in order to detect and prevent fraud.
On behalf of the Auditor General for Scotland, Audit Scotland appoints the auditor to audit the accounts of this authority. Audit Scotland also assists appointed auditors by conducting a National Fraud Initiative which is a data matching exercise.
Data matching involves comparing computer records held by one body against other computer records held by the same or another body. This is usually personal information. Computerised data matching allows potentially fraudulent claims and payments to be identified. Where a match is found it indicates that there is an inconsistency which requires further investigation. No assumption can be made as to whether there is fraud, error or other explanation until an investigation is carried out.
Audit Scotland currently requires us to participate in a data matching exercise to assist in the prevention and detection of fraud. We are required to provide particular sets of data to Audit Scotland for matching for each exercise, and these are set out in Audit Scotland's Instructions (or Handbook), which can be found at: http://www.audit-scotland.gov.uk/our-work
The use of data by Audit Scotland in a data matching exercise is carried out with statutory authority:
- Until October 2010, under auditors' powers in section 100 of the Local Government (Scotland) Act 1973 and section 53 of the Local Government in Scotland Act 2003. These powers may also be used, where appropriate, after October 2010.
- From October 2010, under new data matching powers expected to be in included at Part 2A of the Public Finance and Accountability (Scotland) Act 2000 (as amended by Section 70 of the Criminal Justice and Licensing (Scotland) Act 2010)
Audit Scotland does not require the consent of the individuals concerned under the Data Protection Act 1998. Data matching by audit Scotland is subject to a Code of Data Matching Practice. This may also be found at http://www.audit-scotland.gov.uk/our-work.
For further information on Audit Scotland's legal powers and the reasons why it matches particular information, see the full text fair processing notice at: http://www.audit-scotland.gov.uk/our-work or contact Janice MacPhail (0131 220 8669)
Keeping you informed
NES or our partners may use the personal details you provide to tell you about relevant training opportunities, educational events or related activities. We may also contact you to invite you to participate in the evaluation of education or related research. Your personal details will not be provided to commercial organisations for direct marketing purposes.
You have the right to:
- find out what information NES holds about you
- ask for inaccurate data to be corrected
- see what information NES holds about you
How can I access information about me ?
- If you would like to see information you think we hold about you, please complete and return 'NES Subject Access Request Form'.
- We will ask for proof of identity - such as a passport or photo ID driving licence - and a payment of £10 to cover administrative costs.
- Once we have received your request, identification and fee, we must respond to you within 40 days.
NES Data Protection Contact Details
For further information on data protection in NES, please contact:
Information Governance Manager
NHS Education for Scotland
1st Floor,Clifton House
Glasgow G3 7LD
0141 352 2923
Every NHS organisation has a Caldicott Guardian whose role is to agree and review protocols governing the protection and use of patient identifiable information. NES does not deal directly with patient care and therefore we do not hold or process medical records. NES does, however, have a Caldicott Guardian tasked with ensuring patient privacy is protected in our work. He can be contacted as follows:.
Dr Mike Watson,
Director of Medicine and Caldicott Guardian
91 Haymarket Terrace
0131 313 8040
Other Data Protection Links
Information Commissioner Web Site
NHS Information Governance - eLibrary portal