Privacy and data protection

How NHS Education for Scotland manages personal data


NES holds and manages personal data for the administration and evaluation of training and education of health and social care professionals, for the employment of staff, for research and for related activities in support of our core purposes. 


About NHS Education for Scotland

NHS Education for Scotland (NES) is a public-sector body as set out in 2002 No. 103 National Health Service – the NHS Education for Scotland Order 2002.  It is one of the organisations which form part of NHS Scotland (NHSS).

NES is an education and training body and a special health board within NHS Scotland, with responsibility of developing and delivering education and training for the healthcare workforce in Scotland.


What types of personal information is collected

NES holds and manages personal data for the administration and evaluation of training and education of health and social care professionals, for the employment of staff, for research and for related activities in support of our core purposes.

We process several categories of personal data, including:

  • Training management data: including contact details for trainees, educational history, placements and records of progress
  • Educational data: contact details, records of attainment, records of attendance
  • Employee data: contact details employment and educational history, leave records, management information, performance and appraisal information
  • Contact details for: contractors and suppliers, stakeholders, volunteers, organisational leads or contacts for specific activities
  • Equality and diversity data (where provided by individuals): race or ethnicity, religion, sexual orientation, disability


Special categories of personal data and why they may be processed

NES will only process sensitive personal data (for example on health, disability, ethnicity or sexual orientation) where it is necessary to carry out our role in health workforce development; for example in mandatory monitoring of equality and diversity, to ensure that NES is a safe place to work, or to ensure compliance with other legal obligations, such as the sick pay policy or equal opportunities policy.


Retention periods of the information we hold

We only keep your information for as long as it is necessary to fulfil the purposes for which the personal information was collected.  This includes for the purpose of meeting any legal, accounting or other reporting requirements or obligations.  The NHS Scotland retention policy sets out the minimum retention timescales.


Sharing the information

We will share personal data where appropriate and necessary with third parties such as employing NHS Boards and other employers, educational institutions and regulatory and professional bodies. We will also share personal data where required to do so by law.

NES or our partners may use your contact details to tell you about relevant training opportunities, educational events or related activities.  We may also contact you to invite you to participate in the evaluation of education or related research. 


Your rights regarding your personal data

You have the following rights in regard to your personal data:

  • The right to informed of why we are collecting/holding data about you and how that data will be used;
  • The right to access the data we hold about you;
  • The right to have the data we hold about you rectified if it is inaccurate or incomplete;
  • The right to have your personal data erased and to prevent processing in specific conditions;
  • The right to restrict the processing of your data;
  • The right to obtain and reuse your personal data for your own purpose across different services;
  • The right to object to the processing of your data based on legitimate interests of NES, direct marketing or for the purposes of scientific/historical research and statistics;
  • The right not to be subject to a decision based on automated processing.


How to access your personal data?

You have the right to access the information which NES holds about you, and why, subject to any exemptions using a Subject Access Request.  Requests must be made in writing and you will need to provide:

  • Adequate information [for example full name, address, date of birth, staff number etc] so that your identity can be verified and your personal data located.
  • An indication of what information you are requesting to enable us to locate this in an efficient manner.

You should send your request to the Information Governance Team.  Contact details can be found below.

We will aim to comply with requests for access to personal data as quickly as possible.  We will ensure that we deal with requests within 30 days of receipt unless there is a reason for delay that is justifiable.


Legal basis for processing personal data

NES processes personal data under the following conditions of the General Data Protection Regulation:

“6(1)(c) processing is necessary for compliance with a legal obligation”;

“6(1)(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.”

"9(2)(b) – processing is necessary for carrying out obligations under employment, social security or social protection law, or a collective agreement" (for special categories of data)


In some cases, the legal basis will also be;

“6(1)(a) - the data subject has given consent to the processing of his or her personal data for one or more specific purposes

“9(2)(a) - explicit consent to the processing of those personal data for one or more specified purposes


NES Data Protection Contact Details

For further information on data protection in NES, please contact:

Data Protection Officer
NHS Education for Scotland, Westport 102, West Port, Edinburgh, EH3 9DN



You  also have the right to raise concerns about the handling of your personal data with the Information Commissioner at


Caldicott Guardian

Every NHS organisation has a Caldicott Guardian charged with protecting patient identifiable information. NES does not deal directly with patient care and therefore we do not hold or process medical records. NES does, however, have a Caldicott Guardian tasked with ensuring patient privacy is protected in our work. He can be contacted as follows:

Dr Stewart Irvine, Director of Medicine and Caldicott Guardian

NHS Education for Scotland, Westport 102, West Port, Edinburgh EH3 9DN


Use of Cookies on NES websites

A cookie is a small data file that certain websites write to your hard drive when you visit them. This site uses different types of cookie.

If you want to delete any cookies that are already on your computer, please refer to the instructions for your file management software to locate the file or directory that stores cookies. You can access them through some types of browser. Search in your cookie folders for 'NES' to find our cookie and the Google Analytics cookie if you wish to delete them.

More information about cookies, including how to block them or delete them, can be found at

The information below describes the use of Cookies on the NES corporate website:  

Where other NES websites and portals use different cookies, this will be detailed on those websites.


Cookies used by this website

Visitors can use this website with no loss of functionality if cookies are disabled from the web browser.

The NES Corporate website uses Google Analytics, a popular web analytics service provided by Google, Inc. Google Analytics uses cookies to help us to analyse how users use the site.

The information generated by the cookie about your use of our website (including your IP address) will be transmitted to and stored by Google on servers in the United States. Google will use this information for the purpose of evaluating your use of our website, compiling reports on website activity and providing other services relating to website activity and internet usage. Google may also transfer this information to third parties where required to do so by law, or where such third parties process the information on Google's behalf. Google undertakes not to associate your IP address with any other data held by Google.

This list shows all cookies used by the main NES website, and what each is used for.

Cookie Name




Google Analytics cookie. This stores the domain name (hash code) of site, pages viewed this session, current time.

30 minutes


Google Analytics cookie. This stores the domain name (hash code) of site.

At end of session


Google Analytics cookie. This stores the domain name (hash code) of site, a unique visitor id (randomly generated number), time of first visit, time of previous visit, current time, number of sessions since first visit.

2 years


Google Analytics cookie. This stores the domain name (hash code) of site, time when cookie last set, total number of visitor sessions, number of different channels or sources through which this site was reached, source of the last cookie update, search hit tag identifier (or just 'organic' if reached via normal search hit), search medium, keyword phrase used to find site.

6 months


This stores the name of the site (, the current time and the expiry time of the cookie. This cookie is used to test whether the visitor has accepted the cookie message.


356 Days

Collection and use of technical information

Technical details in connection with visits to this website are logged, collected and used by our website host, Scottish Health on the Web (SHOW).

We will make no attempt to identify individual users. However access to web pages will generally create log file entries in the systems of your Internet Service Provider (ISP) or network services provider.

Log files are maintained and analysed of all requests for files on SHOW servers. Aggregated analyses of these log files are used to monitor website usage. These analyses are used to allow us to monitor and evaluate the effectiveness of our websites. All log file information collected by NHS Scotland is kept secure and is not provided to any third parties.