NES' Privacy and Data Protection policy

How we use your personal data

NHS Education for Scotland (NES) holds and manages personal data for the administration and evaluation of training and education of healthcare professionals, for the employment of staff, for research and for pursuing related legitimate activities in support of our core purposes. We will manage the processing of your personal data to ensure compliance with Data Protection principles.

Under the Data Protection Act 1998, NES is registered as a data controller registered with the Information Commissioner. This registration describes the kind of information we may hold about you, how it may be processed and with whom it may be shared. Our registration is Z7921413 which can be viewed at:

http://www.ico.gov.uk/ESDWebPages/search.asp

NES holds personal information in electronic systems such as computer records and databases as well as on paper files. Personal data will be held for no longer than necessary in line with our records retention policy.

We will share personal data where appropriate and necessary with third parties such as employing NHS Boards, and regulatory and professional bodies.

Sensitive information and why it may be requested

Sensitive data is defined as that which relates to racial or ethnic origins, political opinions, religious beliefs, union membership, physical or mental health (including disabilities), sexual life, the commission or alleged commission of offences and criminal proceedings.

NES will only process personal data where it is necessary to carry out our role in health workforce development; for example in mandatory monitoring of equality and diversity, to ensure that NES is a safe place to work, or to ensure compliance with other legal obligations, such as the sick pay policy or equal opportunities policy. Any other use of sensitive data, for example in research, will only be with the express consent of the individuals concerned.

User anonymity & personal information on SHOW and the NES website

NES are part of the SHOW network and use SHOW to host their site. Log files are maintained and analysed of all requests for files on the SHOW servers. Aggregated analyses of these log files are used to monitor website usage. These analyses are made available to NES to allow them to measure, for example, overall popularity of the site and typical user paths through the site.

In combination with other information which is not collected by SHOW but which may be collected by suppliers of network services, it may in certain situations be possible to identify an individual user's use of the NES website. SHOW does not collect the additional information required and will make no attempt to track or identify individual users, except where explicit consent for this is given or where there is a reasonable suspicion that unauthorised access to systems is being attempted. In the case of all users, SHOW reserves the right to attempt to identify and track any individual who is reasonably suspected of trying to gain unauthorised access to computer systems or resources operating as part of the SHOW service. As a condition of use of this site, all users must give permission for SHOW to use its access logs to attempt to track users who are reasonably suspected of gaining or attempting to gain unauthorised access.

All log file information collected by SHOW and passed onto NES is kept secure and no access to raw log files is given to any third party.

Use of Cookies

A cookie is a small data file that certain websites write to your hard drive when you visit them. This site uses different types of cookie.

We use Google Analytics, a popular web analytics service provided by Google, Inc. Google Analytics uses cookies to help us to analyse how users use the site.

The information generated by the cookie about your use of our website (including your IP address) will be transmitted to and stored by Google on servers in the United States. Google will use this information for the purpose of evaluating your use of our website, compiling reports on website activity and providing other services relating to website activity and internet usage. Google may also transfer this information to third parties where required to do so by law, or where such third parties process the information on Google's behalf. Google undertakes not to associate your IP address with any other data held by Google.

If you want to delete any cookies that are already on your computer, please refer to the instructions for your file management software to locate the file or directory that stores cookies. You can access them through some types of browser. Search in your cookie folders for 'NES' to find our cookie and the Google Analytics cookie if you wish to delete them.

More information about cookies, including how to block them or delete them, can be found at AboutCookies.org.

Visitors can use this website with no loss of functionality if cookies are disabled from the web browser.

Cookies used by this website

This list shows all cookies used by the NES website, and what each is used for:

Cookie Name

Purpose

Expiry

__utmb

Google Analytics cookie. This stores the domain name (hash code) of site, pages viewed this session, current time.

30 minutes

__utmc

Google Analytics cookie. This stores the domain name (hash code) of site.

At end of session

__utma

Google Analytics cookie. This stores the domain name (hash code) of site, a unique visitor id (randomly generated number), time of first visit, time of previous visit, current time, number of sessions since first visit.

2 years

__utmz

Google Analytics cookie. This stores the domain name (hash code) of site, time when cookie last set, total number of visitor sessions, number of different channels or sources through which this site was reached, source of the last cookie update, search hit tag identifier (or just 'organic' if reached via normal search hit), search medium, keyword phrase used to find site.

6 months

NESCookiesWarning

This stores the name of the site (www.nes.scot.nhs.uk), the current time and the expiry time of the cookie. This cookie is used to test whether the visitor has accepted the cookie message.

356 Days

 

Sharing personal information

Depending on the purpose for which you provided your personal data in the first place, NES may be required to share some information with other organisations: for example the NHS Board that employs you, or relevant professional or regulatory bodies.

NES will use personal information as described in our registration. Under no circumstances will NES supply your personal details to organisations other than those described in our registration (see 

National Fraud Initiative

This authority is required by law to protect the public funds it administers. It may share information provided to it with other bodies responsible for auditing or administering public funds, in order to prevent and detect fraud.

On behalf of the Auditor General for Scotland, Audit Scotland appoints the auditor to audit the accounts of this authority. It is also responsible for carrying out data matching exercises.

Data matching involves comparing computer records held by one body against other computer records held by the same or another body to see how far they match. This is usually personal information. Computerised data matching allows potentially fraudulent claims and payments to be identified but the inclusion of personal data within a data matching exercise does not mean that any specific individual is under suspicion. Where a match is found it indicates that there may be an inconsistency that requires further investigation. No assumption can be made as to whether there is fraud, error or other explanation until an investigation is carried out. The exercise can also help bodies to ensure that their records are up to date.

Audit Scotland currently requires us to participate in a data matching exercise to assist in the prevention and detection of fraud. We are required to provide particular sets of data to Audit Scotland for matching for each exercise, and these are set out in Audit Scotland's instructions, which can be found at: http://www.audit-scotland.gov.uk/work/nfi.php

The use of data by Audit Scotland in a data matching exercise is carried out with statutory authority, normally under its powers in Part 2A of the Public Finance and Accountability (Scotland) Act 2000. It does not require the consent of the individuals concerned under the Data Protection Act 1998.

Data matching by Audit Scotland is subject to a Code of Practice. This may also be found at: http://www.audit-scotland.gov.uk/work/nfi.php

For further information on Audit Scotland's legal powers and the reasons why it matches particular information, see the full text privacy notice at: http://www.audit-scotland.gov.uk/work/nfi.php

or contact Janice Sinclair, Head of Financial Services, NHS Education for Scotland (Tel 0131 656 3281; Email: Janice.Sinclair@nes.scot.nhs.uk)

Keeping you informed

NES or our partners may use the personal details you provide to tell you about relevant training opportunities, educational events or related activities. We may also contact you to invite you to participate in the evaluation of education or related research. Your personal details will not be provided to commercial organisations for direct marketing purposes.

Your rights

You have the right to:

  • Find out what information NES holds about you
  • Ask for inaccurate data to be corrected
  • See what information NES holds about you.

How can I access information about me?

  • If you would like to see information you think we hold about you, please complete and return NES Subject Access Request Form.
  • We will ask for proof of identity - such as a passport or photo ID driving licence - and a payment of £10 to cover administrative costs.
  • Once we have received your request, identification and fee, we must respond to you within 40 days.

NES Data Protection contact details

For further information on data protection in NES, please contact:

Frank Rankin
Information Governance Manager
NHS Education for Scotland
1st Floor,Clifton House
Clifton Place
Glasgow G3 7LD

0141 352 2923
frank.rankin@nes.scot.nhs.uk

Caldicott Guardian

Every NHS organisation has a Caldicott Guardian whose role is to agree and review protocols governing the protection and use of patient identifiable information. NES does not deal directly with patient care and therefore we do not hold or process medical records. NES does, however, have a Caldicott Guardian tasked with ensuring patient privacy is protected in our work. He can be contacted as follows:

Dr Stewart Irvine
Director of Medicine and Caldicott Guardian
Westport 102
West Port
Edinburgh
EH3 9DN

0131 656 3200
stewart.irvine@nes.scot.nhs.uk