About NHS Education for Scotland (NES)
NES is a special health board within NHS Scotland. Our responsibility is developing and delivering education and training for the health and social care workforce. We are also the lead body for digital development in health and social care.
NES was set up by the NHS Education for Scotland statutory order, (2002, no. 103).
1. How NES manages personal data
NES is a data controller under UK data protection laws. We hold and manage personal data for the:
- Administration and evaluation of training and education of health and social care professionals.
- Related research and support activities, and employment of staff.
- As digital services lead we also process growing amounts of patient data on behalf of NHS boards.
- We also collect a variety of information on staff employed in NHS Scotland. This is used by NES and NHS Boards to support local, regional and national workforce planning.
- We may need to supply personal information, including personal data, to regulators if requested. This is done on a statutory basis.
NES is a ‘data controller’ under the Data Protection Act. We have notified the Information Commissioner that we process personal data and our registration number is: Z7921413
The details are publicly available from the: –
Information Commissioner’s Officer Wycliffe House
Water Lane Wilmslow SK9 5AF
To search the register for NES, please go to Information Commissioner's Office (ICO).
2. About the personal information we use
As a controller we collect and use (process) the following kinds of personal data:
- Educational: contact details, records of attainment, records of attendance.
- Employee: contact details, employment and educational history, leave records, management information.
- Service user: details of those who subscribe to our newsletters or request a publication from us.
- Expert, consultant, and volunteer.
- Patient: contact details - for example, for vaccination purposes.
- Training management: including contact details for trainees, educational history, placements and records of progress.
As a processor only, we use personal data including that in:
- Consultations between individuals and health and social care professionals.
When you do not provide information directly to us, we may hold it because we have received it from other individuals and bodies involved in the delivery of health and care services in Scotland. These include other NHS boards or public bodies and suppliers of goods and services.
We may use your work contact details to tell you about relevant training opportunities, educational events or related activities, or resources that may be of interest. We may also contact you to invite you to participate in the evaluation of education or related research. We only contact non-work email address if we have your permission to do so.
Special categories of personal data
We also process information about racial or ethnic origin; political opinions; religious or philosophical beliefs; trade union membership; health; and sex life or sexual orientation.
As a controller NES processes sensitive personal where it is necessary to carry out our role in health workforce development. For example, in mandatory monitoring of equality and diversity to ensure that NES is a safe place to work, or to ensure compliance with other legal obligations, such as the sick pay policy or equal opportunities policy.
As either a data controller or a data processor, NES also processes sensitive personal data in its role as a lead digital provider for the provision of and management of health and social care systems and services, supporting NHS Boards in the delivery of health and social care treatment.
NES is the data controller for a secure National Clinical Data Store (NCDS), where data is currently being used to support the COVID-19 vaccination of Scotland’s population. The information held in the national clinical data store forms part of the patient’s clinical record and is required by NHS Scotland to allow clinical audit and ensure safe treatment. There are no fundamental changes to your data protection rights. Should you wish to exercise your rights in relation to vaccination data held about you within the national clinical data store, please contact NES.
For more information about this processing of personal and sensitive personal data in the NCDS, and the role of NES, please see this NHS Scotland webpage:
NES is also involved in NHS shielding systems as a data controller. For more information please see:
To find out how personal data is being used across NHS Scotland during the COVID-19 response, please see:
Information for the public on COVID-19 can be found on NHS Inform
3. Sharing personal information with others
We will share personal data where appropriate and necessary with third parties such as NHS boards who are providing care to patients or undertaking public health reporting, and in their employer role, and educational institutions and regulatory and professional bodies. We will also share personal data where required to do so by law.
In collaborating with our partners to deliver an effective COVID-19 response, we recognise that the duty to share information can be as important as the duty to protect confidentiality. Therefore, with other data controllers in NHSScotland, NES has agreed to the intra-NHS Scotland Information Sharing Accord.
4. Our legal basis for processing personal data
NES is required to comply with the General Data Protection Regulation 2016 and the Data Protection Act 2018 and have an appropriate legal basis when using personal data. When using personal information our legal basis is usually:
- Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
- Processing is necessary for the performance of a contract to which the data subject is party, or in order to take steps at the request of the data subject prior to entering into a contract;
- Processing is necessary for compliance with a legal obligation.
On occasion we may seek your explicit and informed consent as the legal basis for using your personal data. When we do, we must explain the rights that are available to you. For example, you can easily withdraw consent at any time.
When we use sensitive personal information as data controller, including health information, our legal basis is usually:
- Processing is necessary for carrying out obligations under employment, social security or social protection law, or a collective agreement (for special categories of data)
- Processing is necessary for the provision of health or social care or treatment of the management of health or social care systems and services
- Processing is necessary for archiving purposes in the public interest, scientific of historical research purposes or statistical purposes
5. How we protect personal information
We take care to ensure your personal information is only accessible to authorised people. Our staff have a legal and contractual duty to keep personal health information secure, and confidential. The following security measures are in place to protect personal information:
- All staff undertake mandatory training in data protection and information security.
- Organisational policy and procedures on the safe handling of personal information.
- Compliance with NHS Scotland Information Security Policy Framework.
- Access controls and audits of electronic systems.
We are working towards ISO 27001 certification, potentially in late 2019. This is the international standard for information security.
6. Retention periods for the information we hold
We only keep your information for as long as is necessary to fulfil the purposes for which the personal information is collected. This includes for the purposes of meeting any legal, accounting or other reporting requirements or obligations. The NHS Scotland retention policy sets out the minimum retention timescales.
7. Your rights regarding your personal data
This section contains a description of your data protection rights within NES.
The right to be informed
NES must explain how your personal data is used. We communicate how personal information is used in several ways, including:
- Privacy notices such as this, some of which are flagged directly to you when we collect your personal data.
- For a list of our websites and portals and their privacy notices please see Appendix 1 [DOC].
- Information leaflets.
The right of access
You have the right to obtain confirmation from NES on whether your personal data is being processed. Where it is, you have the right to access to personal data and the following:
- The purposes of the processing
- the kinds of personal data concerned
- The recipients or kinds of recipient to whom the personal data have been or will be disclosed
- Where possible, the period foreseen for storage of personal data, or, if not possible, how that period will be set.
- Where the personal data are not collected from you, any available information as to their source
- The existence of automated decision-making, including profiling, and, at least in those cases, meaningful information about the logic involved. Also, the significance and any foreseen consequences of such processing for you.
We must provide this information free of charge. However, if you request copies we may charge a reasonable administrative fee.
When you make a subject access request we ask for proof of identity such as a passport, photo ID driving license, or proof of address. Once we have details of your request and you have given us enough information to find your personal data, we must respond without delay, within one month (30 days).
If your request is complex we may take longer, up to two months, to respond. If this is the case, we will tell you before the first month is up and give a reason for the delay.
If you would like to see information we hold about you, please complete the NES Subject Access Request Form [DOC].
This should be returned to:
You do not have to use this form, but it ensures you give us the details that speed request processing. You can also post a request to:
Data Protection Officer
NHS Education for Scotland,
Westport 102, West Port,
Edinburgh, EH3 9DN
The right to rectification
If the personal information we hold about you is inaccurate or incomplete you have the right to have this corrected.
If it is agreed that your personal information is inaccurate or incomplete we will aim to amend your records, normally within one month, or two months where the request is complex. We will contact you as quickly as possible to explain any need to extend our timescales.
If NES does not see the personal information to be inaccurate, we will add a comment to your record stating your concerns about the information. If this is the case, we will contact you within one month and give our reasons.
If you are unhappy about how we have responded to your request for rectification we will give you information on how to complain to the Information Commissioner’s Office, or to take legal action.
The right to object
When NES is processing your personal information for the performance of a task carried out in the public interest or in the exercise of official authority you have the right to object to the processing, or to seek restriction of further processing.
Where NES can demonstrate lawful grounds for processing your personal information, for instance; patient safety or for evidence to support legal claims, your right will not be upheld.
The right to complain
NES employs a Data Protection Officer to check that we handle personal information in ways that meet data protection law. If you are unhappy with the way in which we use your personal information, please tell our Data Protection Officer.
You have the right to raise concerns about the handling of your personal data with the Information Commissioner.
Other rights under the data protection law only apply to some cases. Please see Appendix 2 [DOC].
A cookie is a small data file that certain websites write to your hard drive when you visit them. This NES site uses various types of cookie. These cookies are used to make our websites run more efficiently. They also allow our web server to remember and store your preferences as you travel around our pages.
|__utmb||Google Analytics cookie. This stores the domain name (hash code) of site, pages viewed this session, current time.||30 minutes|
|__utmc||Google Analytics cookie. This stores the domain name (hash code) of site.||At end of session|
|__utma||Google Analytics cookie. This stores the domain name (hash code) of site, a unique visitor id (randomly generated number), time of first visit, time of previous visit, current time, number of sessions since first visit.||2 years|
|__utmz||Google Analytics cookie. This stores the domain name (hash code) of site, time when cookie last set, total number of visitor sessions, number of different channels or sources through which this site was reached, source of the last cookie update, search hit tag identifier (or just 'organic' if reached via normal search hit), search medium, keyword phrase used to find site.||6 months|
This stores the name of the site (www.nes.scot.nhs.uk), the current time and the expiry time of the cookie. This cookie is used to test whether the visitor has accepted the cookie message.
Collection and use of technical information
Technical details in connection with visits to this website are sometimes logged and collected in the Turas Hosting platform (Microsoft Azure).
We will make no attempt to identify individual users. However, access to web pages will generally create log file entries in the systems of your Internet Service Provider (ISP) or network services provider.
Log files of all requests for files on Microsoft Azure may be maintained and analysed. Aggregated analyses of these log files are used to monitor website usage. These analyses are used to allow us to monitor and evaluate the effectiveness of our websites. All log file information collected by NES is kept secure and is not provided to any third parties.
9. Third party sites
By recording consent to receive any of our newsletters, you understand that Mailchimp will be responsible for storing and managing your name and email address. You can unsubscribe at any time by selecting the Unsubscribe link at the bottom of each newsletter.
To request manual removal of your details, email us at: firstname.lastname@example.org.
Questback is an online survey tool used to help improve services and resources offered by NES.
The purpose of each survey and the intended use of your data will always be explained within the form. By completing and submitting, you understand that Questback will be responsible for storing and managing your name and email address, plus any other information requested, for the period specified on the form.
To request removal of your details, email us at: email@example.com.
10. NES Data Protection Contact Details
For further information on data protection in NES, please contact:
Data Protection Officer
NHS Education for Scotland,
Westport 102, West Port,
Edinburgh, EH3 9DN
Every NHS organisation has a Caldicott Guardian charged with protecting patient identifiable information. NES does not deal directly with patient care and therefore we do not hold or process medical records. NES does, however, have a Caldicott Guardian tasked with ensuring patient privacy is protected in our work. He can be contacted as follows:
Dr Stewart Irvine
Director of Medicine and Caldicott Guardian
NHS Education for Scotland
Edinburgh EH3 9DN