This page provides details about the various personal information we request, obtain and store. It outlines our reason for using that information, who provides us with it and how we protect it.
If you have any questions or concerns about information we hold, please see section 10. ‘Your Rights’
1 – About NHS Greater Glasgow and Clyde
NHS Greater Glasgow and Clyde (NHSGGC) is a public organisation created in Scotland under section 1 of the National Health Service (Scotland) Act 1978 (the 1978 Act). It is one of the organisations which form part of NHS Scotland (NHSS).
NHSGGC is the data controller of the personal data it processes for the purpose of the Data Protection Act 2018 along with the General Data Protection Regulation (GDPR) and is registered as a data controller with the Information Commissioner under Notification No Z8522787.
2 – About the personal information we use
We use personal information on different groups of individuals including:
- Patients
- Staff
- Contractors
- Suppliers
- Complainants, enquirers
- Survey respondents
- Professional experts and consultants
- Individuals captured by CCTV.
The personal information we use includes information that identifies you like your name, address, date of birth and postcode.
We also use more sensitive types of personal information, including information about:
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Genetic and biometric data
- Health
- Sex life or sexual orientation.
The information we use can relate to:
- Personal and family details
- Education, training and employment details
- Financial details
- Lifestyle and social circumstances
- Goods and services
- Visual images
- Details held in the patient record
- Responses to surveys.
3 – Our purposes for using personal information
Under the 1978 Act NHSGGC has the statutory responsibility to provide or arrange for the provision of a range of healthcare, health improvement and health protection services. We are given these tasks so that we can help to promote the improvement of the physical and mental health of the people of NHSGGC and assist in operating a comprehensive and integrated national health service in Scotland.
We use personal information to enable us to provide healthcare services for patients, data matching under the national fraud initiative, research, supporting and managing our employees, maintaining our accounts and records and the use of CCTV systems for crime prevention.
On occasion we may contact you to obtain feedback on the care we provide to you, to help improve your patient experience and to provide information that we consider is appropriate to deliver our function as a Health Board, this contact may involve sending you information about appointment times, wellbeing information or general guidance information for personal care. We do not consider this as direct marketing however should you have any objections to this processing please see Section 10 of our privacy notice below on how to contact us.
4 – Our legal basis for using personal information
NHSGGC, as data controller, is required to have a legal basis when using personal information.
We consider that performance of our tasks and functions are in the public interest. So when using personal information our legal basis is usually that its use is necessary for the performance of a task carried out in the public interest, or in the exercise of official authority vested in us. In some situations we may rely on a different legal basis, for example, when we are using personal information to pay a supplier, our legal basis is that its use is necessary for the purposes of our legitimate interests as a buyer of goods and services.
Another example would be for compliance with a legal obligation to which NHSGGC is subject to, for example under the Public Health etc (Scotland) Act 2008 we are required to notify Health Protection Scotland when someone contracts a specific disease.
When we are using more sensitive types of personal information, including health information, our legal basis is usually that the use is necessary:
- For the provision of health or social care or treatment or the management of health or social care systems and services
- For reasons of public interest in the area of public health
- In order to protect the vital interests of an individual
- For reasons of substantial public interest for aims that are proportionate and respect people’s rights, for example research
- For the establishment, exercise or defence of legal claims or in the case of a court order.
On rare occasions we may rely on your explicit consent as our legal basis for using your personal information. When we do this we will explain what it means, and the rights that are available, to you. You should be aware that we will continue to ask for your consent for other things like taking part in a drug trial, or when you are having an operation.
5 – Who provides the personal information
We receive information directly from yourself or from other individuals and organisations involved in the delivery of health and care services in Scotland. These include other NHS Boards and primary care contractors such as GPs, dentists, pharmacists and opticians, other public bodies e.g. Local Authorities and suppliers of goods and services.
6 – Sharing personal information with others
Depending on the situation, where necessary we will share appropriate, relevant and proportionate personal information in compliance with the law, with the following:
- Our patients and their chosen representatives or carers
- Staff
- Current, past and potential employers
- Local Authority Services within the Health and Social Care Partnerships
- Primary Care Network
- Healthcare social and welfare organisations
- Suppliers, service providers, legal representatives
- Auditors and audit bodies
- Educators and examining bodies
- Research organisations
- People making an enquiry or complaint
- Financial organisations
- Professional bodies
- Trade Unions
- Business associates
- Police forces
- Scottish Prison Service
- Security organisations
- Central and local government
- Voluntary and charitable organisations.
During the COVID-19 (coronavirus) pandemic, personal data is used and shared by a number of NHS Organisations across Scotland, including Public Health Scotland and NHS National Services Scotland. Full details of how the data is used can be found via the links below:
7 – Transferring personal information abroad
It is sometimes necessary to transfer personal health information overseas for example if you require urgent medical treatment abroad. When this is needed information may be transferred to countries or territories around the world. Any transfers made will be in full compliance with NHSScotland Information Security Policy.
8 – Retention periods of the information we hold
Within NHSGGC we keep personal data as set out in the Scottish Government’s Records Management Code of Practice for Health and Social Care.
The NHS Code of Practice sets out minimum retention periods for information, including personal information, held in different types of records including personal health records and administrative records. As directed by the Scottish Government in the Records Management Code of Practice, we maintain a retention schedule which details the minimum retention period for the information and procedures for the safe disposal of personal information.
9 – How we protect personal information
We take care to ensure your personal information is only accessible to authorised people. Our staff have a legal and contractual duty to keep personal health information secure, and confidential. The following security measures are in place to protect personal information:
- All staff undertake mandatory training in Data Protection and IT Security
- Compliance with NHS Scotland Information Security Policy
- Organisational policy and procedures on the safe handling of personal information
- Access controls and audits of electronic systems.
10 – Your rights
This section contains a description of your data protection rights within NHSGGC.
The right to be informed
NHSGGC must explain how we use your personal information. We use a number of ways to communicate how personal information is used, including:
- Discussions with staff providing your care
- This Data Protection Notice
- Information leaflets
The right of access
You have the right to access your own personal information.
This right includes making you aware of what information we hold along with the opportunity to satisfy you that we are using your information fairly and legally.
You have the right to obtain:
- Confirmation that your personal information is being held or used by us
- Access to your personal information
- Additional information about how we use your personal information.
Although we must provide this information free of charge, if your request is considered unfounded or excessive, or if you request the same information more than once, we may charge a reasonable fee.
If you would like to access your personal information, you can do this by contacting:
Write to:
Health Records Legal Manager
NHS Greater Glasgow and Clyde
Admin Building Level 2
Gartnavel Royal Hospital
1055 Great Western Road
Glasgow
G12 0XH
Email: ggc.data.protection@nhs.scot
Call: 0141 355 2059
Once we have details of your request and you have provided us with enough information for us to locate your personal information, we will respond to your request without delay, within one month (30 days). However If your request is complex we may take longer, by up to two months, to respond. If this is the case we will tell you and explain the reason for the delay.
For further information on how to access your health records please go to our ‘Access to Records/Seeing your notes’ page.
The right to rectification
If the personal information we hold about you is inaccurate or incomplete you have the right to have this corrected.
If it is agreed that your personal information is inaccurate or incomplete we will aim to amend your records accordingly, normally within one month, or within two months where the request is complex. However, we will contact you as quickly as possible to explain this further if the need to extend our timescales applies to your request. Unless there is a risk to patient safety, we can restrict access to your records to ensure that the inaccurate or incomplete information is not used until amended.
If for any reason we have shared your information with anyone else, perhaps during a referral to another service for example, we will notify them of the changes required so that we can ensure their records are accurate.
If on consideration of your request NHSGGC does not consider the personal information to be inaccurate then we will add a comment to your record stating your concerns about the information. If this is case we will contact you within one month to explain our reasons for this.
If you are unhappy about how NHSGGC has responded to your request for rectification we will provide you with information on how you can complain to the Information Commissioner’s Office, or how to take legal action.
The right to object
When NHSGGC is processing your personal information for the purpose of the performance of a task carried out in the public interest or in the exercise of official authority you have the right to object to the processing and also seek that further processing of your personal information is restricted.
Provided NHSGGC can demonstrate compelling legitimate grounds for processing your personal information, for instance; patient safety or for evidence to support legal claims, your right will not be upheld.
The right to erasure / Right to be forgotten
The right to erasure is also known as “the right to be forgotten” and in general refers to an individual’s right to request the deletion or removal of personal information where there is no compelling reason for NHSGGC to continue using it.
As with other rights, there are particular conditions around this right and it does not provide individuals with an absolute right to be forgotten.
Individuals have the right to have their personal information deleted or removed in the following circumstances:
- When it is no longer necessary for the purpose for which it was collected.
- When NHSGGC no longer have a legal basis for using your personal information, for example if you gave us consent to use your personal information in a specific way, and you withdraw your consent, we would need to stop using your information and erase it unless we had an overriding reason to continue to use it.
- When you object to NHSGGC using your personal information and there is no overriding legitimate interest for us to continue using it.
- If we have used your personal information unlawfully.
- If there is a legal obligation to erase your personal information for example by court order.
NHSGGC can refuse to deal with your request for erasure when we use your personal information for the following reasons:
- To comply with a legal obligation for the performance of a public interest task or exercise of official authority.
- For public health purposes in the public interest.
- Archiving purposes in the public interest, scientific research historical research or statistical purpose.
- The exercise or defence of legal claims
When using personal information our legal basis is usually that its use is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us under the NHS Scotland Act as noted previously. This means that in most circumstances we can refuse requests for erasure. However, we will advise you of this as soon as possible following receipt of your request
The right to restrict processing
You have the right to control how we use your personal information in some circumstances. This is known as the right to restriction. When processing is restricted, NHSGGC is permitted to store your personal information, but not further use it until an agreement is reached with you about further processing. We can retain enough information about you to ensure that your request for restriction is respected in the future.
Examples of ways you can restrict our processing would be:
- If you challenge the accuracy of your personal information, stop using it until we check its accuracy.
- If you object to processing which is necessary for the performance of our tasks in the public interest or for the purpose of legitimate interests, we will restrict our processing while we consider whether our legitimate grounds override your individual interests, rights and freedoms.
- If our use of your personal information is found to be unlawful and you ask for restriction instead of full erasure we will restrict our processing.
- If we no longer need your personal information but you need it to establish, exercise or defend a legal claim, we will restrict our processing.
If we have shared your personal information with any individuals or organisations, if we restrict our processing, we will tell those individuals or organisations about our restriction if it is possible and not an unreasonable amount of effort.
Whenever we decide to lift a restriction on processing we will tell you.
The right to data portability
The right to data portability allows individuals to obtain and re-use their personal information for their own purposes across different services. It allows them to move, copy or transfer personal information easily from one IT environment to another in a safe and secure way. For example: it enables consumers to take advantage of applications and services which can use their information to find them a better deal.
The right to data portability only applies when the individual has submitted their personal information directly, through electronic means to NHSGGC. This means that in most circumstances the right to data portability does not apply within NHSGGC.
The right to automated decision making and profiling
You have the right to object to any instances where a decision is made about you solely by automated means without any human involvement, including profiling.
NHSGGC does not undertake any decision-making about you using wholly automated means.
The right to complain
NHSGGC employ a Data Protection Officer to check that we handle personal information in a way that meets data protection law. If you are unhappy with the way in which we use your personal information please tell our Data Protection Officer using the contact details below.
Write to:
Stewart Whyte
Data Protection Officer
NHS Greater Glasgow and Clyde
1 Smithhills Street
Level 2
Paisley PA1 1EB
Email: Data.Protection@ggc.scot.nhs.uk
Call: 0141 278 4774
You also have the right to complain about how we use your personal information to the Information Commissioner’s Office (ICO).
11 – Child Friendly Privacy Notice
What is a Privacy Notice?
A privacy notice helps us tell you how NHS Greater Glasgow and Clyde use information we hold about you, like your name, address, date of birth and all of the notes the doctor or nurse makes about you in your health record.
From the age of 12 years old the law allows you to make some decisions about what we do with your information. In some situations we should ask your permission if we want to do anything with your information (this is known as processing). You can still ask an adult (like your Mum or Dad) for help with this if you don’t understand what we are asking you.
Why do we need one?
We need a privacy notice to make sure we meet the rules which are written in a law called the UK General Data Protection Regulation (UK GDPR for short).
What is the UK GDPR?
The UK GDPR is a rule that was introduced in 2021. It gives us guidelines to follow and provides you with a list of your rights, like:
- The right to be told how we use your information
- The right to be told how we make sure that the information is kept safe
- The right to ask to see the information we hold
- The right to ask us to change information you think is wrong.
What information do we collect about you and how do we use it?
We collect personal information so we know who you are and other types of information to manage a patient’s health – such as your name, address, information about your parents or guardians, records of appointments, visits, telephone calls, your health record, treatment and medicines, test results, X-rays and any other information to enable us to care for you.
We might need to share this information with other medical teams in hospitals, for example, if you need to be seen by a special doctor or sent for an X-ray. We may be asked to help with exciting medical research but we will always ask you, or your parents or adults with parental responsibility, if it’s okay to share your information.
How do we keep your information safe?
Everyone working in the NHS knows that they need to keep your information safe. Especially the information which identifies you; this might be your name or address and anything that you come to see us about. We are not allowed to share this type of information with anyone that shouldn’t see it. This includes talking to them about it.
How can you see the information that we hold?
Under the new UK GDPR you are allowed to ask to see your health records whenever you like, we call this a Subject Access Request (SAR for short). This is normally free. To be able to see your records you will need to contact us, you can phone, email or write to us. We will ask you for some basic details so that we can make sure that we are giving this information to the right person. We will check with the doctor that it is okay for us to give you your health record and once the doctor has agreed we will give you the information within 1 month of you asking us.
After seeing your health record if you think that any of the information you see is not correct, you can ask for this information to be taken out or corrected. This can only be done if we are 100% sure that the information is NOT correct.
What if you don’t want your information to be shared?
All of our patients, no matter what their age, can in some circumstances say that they don’t want us to share their information. If you are older than 12 and understand this decision, you are allowed to make the decision by yourself. If you’re not sure about something, you can always ask us or another adult you trust.
What should I do if any of my information changes?
It is important that you tell us or any other person treating you if any of your details such as your name, address or contact details have changed. This is because we sometimes have to share your information with other people like healthcare staff or your own Doctor and we need to be sure that we are talking about the correct person.
What if I have questions?
If this doesn’t give you the information you need you can ask a member of medical staff or someone you trust.
What if I want to complain?
If you are not happy about how your information is being kept or shared, you can speak to our Data Protection Officer or a member of the Information Governance Team and explain why you want to complain. You can email us at data.protection@ggc.scot.nhs.uk
Would you like to know more?
We try to give you as much information as possible and we always make sure that the information we give you about how we use your data is up to date. Any updates will be published on this website www.nhsggc.scot
12 – Forensic Medical Service Data Protection Notice
Data Protection Notice
This data protection notice relates to the Forensic Medical Service (FMS). It applies to personal information of all individuals who are referred by Police Scotland or who self-refer for a forensic medical examination (FME) following a rape or sexual assault.
Specifically, this notice applies to personal information processed as part of an FME to support your health and wellbeing and identify your healthcare needs. It also applies to your personal information being used to support any criminal investigations and/or future prosecutions for Police Scotland referrals, or self-referrals (should you wish to report the incident to Police Scotland at a later date).
Data Controllers
For personal information processed in order to support your health and wellbeing and identify your healthcare needs, NHS Greater Glasgow & Clyde is the data controller:
J B Russell House,
Gartnavel Royal Hospital Campus
1055 Great Western Road
G12 0XH
Glasgow
For personal information collected in order to support any criminal investigation and future prosecution, Police Scotland is the data controller:
The Chief Constable of the Police Service of Scotland
Tulliallan Castle
Kincardine
Fife
FK19 4BE
What types of personal information do we process?
NHS Greater Glasgow & Clyde will process your personal information, including sensitive information as part of the FME. For example – name, address, date of birth, postcode and information about your health such as risk of pregnancy and details of onward healthcare referrals made.
Only forensic information collected as part of the FME will be used to support any criminal investigation and future prosecution (for self-referral should you wish to report the incident to Police Scotland at a later date). We will not share your health information unless legally required to do so. This information will be kept separately from your master health record.
Our purposes for processing your personal information
NHS Greater Glasgow & Clyde will process your personal information for the following purposes:
- To support your health and wellbeing and identify your healthcare needs
- To collect evidence that would support any criminal investigation and future prosecution (for self-referral should you wish to report the incident to Police Scotland at a later date)
Our lawful basis for processing personal information
NHS Greater Glasgow & Clyde will only process your personal information where data protection law allows us to. In order to support your health and wellbeing and identify your healthcare needs, we process your personal information under the following legal bases:
- Personal Information: Article 6 (UK GDPR) 1(e) – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
- Special Category Information: Article 9 (UK GDPR) 2(h) – processing is necessary for the purposes of medical diagnosis and the provision of health or social care.
In order to collect evidence that would support any criminal investigation and future prosecution (should you wish to report the incident to Police Scotland at a later date), we process your personal information in line with Part 3 of Data Protection Act 2018 and under the following legal bases:
- Personal Information: Part 3, Chapter 2, Section 35 (DPA) 35 (2) (b): processing is necessary for the performance of a task carried out for that purpose by a competent authority.
- Sensitive Processing: Part 3, Chapter 2, Section 35 (DPA) 35 (5) (a): processing is strictly necessary for law enforcement purpose.
Who provides the personal information?
Personal information will be provided either:
- directly by you when you self-refer to the service.
- on occasions where you are referred to us by Police Scotland, they will share information which is necessary to support you and Police Scotland’s ongoing investigation.
Sharing of personal information
NHS Greater Glasgow & Clyde will only share your information where there is a clear legal basis to do so:
- We will share limited anonymous information with Public Health Scotland for the purpose of reporting on the operation of the Forensic Medical Service;
- We may share information with relevant services/agencies as part of onward health related referrals;
- Information provided by you will not be shared with Police Scotland unless you decide to report the incident to Police Scotland. The exceptions to this are if you are:
- under 16 years of age;
- aged 17 or 18 years old and under the care of social work;
- thought to be in imminent danger.
- originally referred to the service by the police.
We may also share information when there is a perceived threat to life to someone other than yourself. All health professionals are bound by the duty of confidentiality and their own professional regulatory body.
Security of your personal information
NHS Greater Glasgow & Clyde takes care to ensure your personal information is only accessible to authorised individuals. Our staff have a legal and contractual duty to keep personal health information secure and confidential. Set out below are some example security measures:
- Access to your personal information is restricted to those who have a need to access it in order to carry out their legitimate duties.
- All staff undertake mandatory training in Data Protection and IT Security.
- Organisational policy and procedures on the safe handling of personal information.
Retaining personal information
NHS Greater Glasgow & Clyde will retain personal information collected to support your health and wellbeing and identify your healthcare needs in line with the Scottish Government Records Management Health & Social Care Code of Practice (Scotland) 2020.
NHS Greater Glasgow & Clyde will retain personal information collected to support any criminal investigation and future prosecution. After a self-referral, should you wish to report the incident to Police Scotland at a later date, the information will be held for 26 months.
Your rights
You have a number of rights under the forensic medical service along with data protection law rights. Specifically:
FMS Rights
- The right to be informed: we will explain fully what may happen to evidence collected during a forensic medical examination.
- The right to return of evidence: you have the right to request that any evidence gathered during the forensic medical examination is returned to you (that is, items which were worn or otherwise present during the incident which gave rise to the examination, but does not include for example, samples)
- The right to destruction: you have the right to request that evidence is destroyed and will be allowed a 30 day cooling off period to allow you to change your mind.
Data Protection Rights
- The right to be informed: we explain how and why we use your personal information;
- The right of access: you have the right to access your personal information;
- The right to rectification: if the personal information we hold about you is inaccurate or incomplete, you have the right to have this corrected;
- The right to restrict processing: you have the right to request that further processing of your personal information is restricted;
- The right to erasure: you have the right to request that your personal information is erased.
Some rights are not absolute and only apply in certain circumstances. For more information on your rights please see: www.ico.org.uk. If you would like to exercise your rights, you can contact the below team:
Data Protection Team
1 Smithhills Street
Paisley
PA1 1EB
Data.protection@ggc.scot.nhs.uk
Complaints about how we process your personal information
If you are unhappy about how NHS Greater Glasgow & Clyde has processed your personal information you can also contact the Data Protection Officer at the above address.
You also have the right to make a complaint to the Information Commissioner’s Office:
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Tel: 0303 123 1113
13 – Research and Innovation
NHSGGC is a research active organisation. We work closely with other health and social care organisations, academic partners and industry to review, inform and improve health, care and services through research. As a publically funded organisation, the research and innovation undertaken in NHSGGC must be in the public interest and necessary for scientific research.
We may use information contained in clinical records for research on health conditions, treatments and care, to audit our services against agreed standards and to help develop and improve our services.
When we do this, there are processes in place to make sure that patient confidentiality and security issues are considered appropriately. Uses of patient information for research and development are always in the public interest and subject to strict transparency, proportionality, minimisation and anonymisation principles, in line with the Information Commissioner’s Office (ICO) guidance.
Some research and innovation may process personal information without patient consent. In Scotland, the Public Benefit and Privacy Panel may review the legal basis, transparency and safeguards required for this to be approved, or there can be local ethical review by an independent committee under the West of Scotland Safe Haven REC approval. Personal information processed for research purposes within the Safe Haven, including routinely collected health data and research application data, is usually pseudonymised prior to presentation to accredited researchers. For more information see the West of Scotland Safe Haven website.
For individual Health Boards, approval for participation in national research and development work or work within the Health Board itself is approved by the Board’s Caldicott Guardian, a senior person responsible for protecting the confidentiality of patient’s health and care information and making sure it is used properly.
Research can include the provision of data, including identifiable data, to national registries for long-term analysis of trends in particular conditions for the benefit of everyone. It can also include the aggregation (bringing together) of data from different parts of the health and social care system. However, the outputs of research are always anonymous, are not used to make decisions about you personally and safeguards will be put in place to help ensure the use of your data will never be harmful to you.
Health Boards may also take part in clinical trials however your consent will always be obtained in order for you to take part in a clinical trial. Once the information is used as part of the research study, your rights to access, change or move information may not apply because the integrity, reliability and accuracy of the research could be affected. If you withdraw from a study it may not be possible to remove information about you that has already been obtained.
The legal basis for carrying out Research and Development work with patient information is UKGDPR Article 6(1)(e) and UKGDPR Article 9(2)(j) in accordance with Schedule 1 Part 1 Paragraph 4 of the Data Protection Act 2018.
For more information on Research and Innovation please contact RandDPROJECTEMAILS@ggc.scot.nhs.uk