Skip to content
Home > Patient & Visitor FAQs > Data Protection & Privacy

Data Protection & Privacy

This page provides details about the various personal information we request, obtain and store. It outlines our reason for using that information, who provides us with it and how we protect it.

If you have any questions or concerns about information we hold, please see section 10. ‘Your Rights’

1 – About NHS Greater Glasgow and Clyde

NHS Greater Glasgow and Clyde (NHSGGC) is a public organisation created in Scotland under section 1 of the National Health Service (Scotland) Act 1978 (the 1978 Act). It is one of the organisations which form part of NHS Scotland (NHSS).

NHSGGC is the data controller of the personal data it processes for the purpose of the Data Protection Act 2018 along with the General Data Protection Regulation (GDPR) and is registered as a data controller with the Information Commissioner under Notification No Z8522787.

2 – About the personal information we use

We use personal information on different groups of individuals including:

  • Patients
  • Staff
  • Contractors
  • Suppliers
  • Complainants, enquirers
  • Survey respondents
  • Professional experts and consultants
  • Individuals captured by CCTV.

The personal information we use includes information that identifies you like your name, address, date of birth and postcode.

We also use more sensitive types of personal information, including information about:

  • Racial or ethnic origin
  • Political opinions
  • Religious or philosophical beliefs
  • Trade union membership
  • Genetic and biometric data
  • Health
  • Sex life or sexual orientation.

The information we use can relate to:

  • Personal and family details
  • Education, training and employment details
  • Financial details
  • Lifestyle and social circumstances
  • Goods and services
  • Visual images
  • Details held in the patient record
  • Responses to surveys.
3 – Our purposes for using personal information

Under the 1978 Act NHSGGC has the statutory responsibility to provide or arrange for the provision of a range of healthcare, health improvement and health protection services. We are given these tasks so that we can help to promote the improvement of the physical and mental health of the people of NHSGGC and assist in operating a comprehensive and integrated national health service in Scotland.

We use personal information to enable us to provide healthcare services for patients, data matching under the national fraud initiative, research, supporting and managing our employees, maintaining our accounts and records and the use of CCTV systems for crime prevention.

On occasion we may contact you to obtain feedback on the care we provide to you, to help improve your patient experience and to provide information that we consider is appropriate to deliver our function as a Health Board, this contact may involve sending you information about appointment times, wellbeing information or general guidance information for personal care. We do not consider this as direct marketing however should you have any objections to this processing please see Section 10 of our privacy notice below on how to contact us.

4 – Our legal basis for using personal information

NHSGGC, as data controller, is required to have a legal basis when using personal information.

We consider that performance of our tasks and functions are in the public interest. So when using personal information our legal basis is usually that its use is necessary for the performance of a task carried out in the public interest, or in the exercise of official authority vested in us. In some situations we may rely on a different legal basis, for example, when we are using personal information to pay a supplier, our legal basis is that its use is necessary for the purposes of our legitimate interests as a buyer of goods and services.

Another example would be for compliance with a legal obligation to which NHSGGC is subject to, for example under the Public Health etc (Scotland) Act 2008 we are required to notify Health Protection Scotland when someone contracts a specific disease.

When we are using more sensitive types of personal information, including health information, our legal basis is usually that the use is necessary:

  • For the provision of health or social care or treatment or the management of health or social care systems and services
  • For reasons of public interest in the area of public health
  • In order to protect the vital interests of an individual
  • For reasons of substantial public interest for aims that are proportionate and respect people’s rights, for example research
  • For the establishment, exercise or defence of legal claims or in the case of a court order.

On rare occasions we may rely on your explicit consent as our legal basis for using your personal information. When we do this we will explain what it means, and the rights that are available, to you. You should be aware that we will continue to ask for your consent for other things like taking part in a drug trial, or when you are having an operation.

5 – Who provides the personal information

We receive information directly from yourself or from other individuals and organisations involved in the delivery of health and care services in Scotland. These include other NHS Boards and primary care contractors such as GPs, dentists, pharmacists and opticians, other public bodies e.g. Local Authorities and suppliers of goods and services.

6 – Sharing personal information with others

Depending on the situation, where necessary we will share appropriate, relevant and proportionate personal information in compliance with the law, with the following:

  • Our patients and their chosen representatives or carers
  • Staff
  • Current, past and potential employers
  • Local Authority Services within the Health and Social Care Partnerships
  • Primary Care Network
  • Healthcare social and welfare organisations
  • Suppliers, service providers, legal representatives
  • Auditors and audit bodies
  • Educators and examining bodies
  • Research organisations
  • People making an enquiry or complaint
  • Financial organisations
  • Professional bodies
  • Trade Unions
  • Business associates
  • Police forces
  • Scottish Prison Service
  • Security organisations
  • Central and local government
  • Voluntary and charitable organisations.

During the COVID-19 (coronavirus) pandemic, personal data is used and shared by a number of NHS Organisations across Scotland, including Public Health Scotland and NHS National Services Scotland. Full details of how the data is used can be found via the links below:

7 – Transferring personal information abroad

It is sometimes necessary to transfer personal health information overseas for example if you require urgent medical treatment abroad. When this is needed information may be transferred to countries or territories around the world. Any transfers made will be in full compliance with NHSScotland Information Security Policy.

8 – Retention periods of the information we hold

Within NHSGGC we keep personal data as set out in the Scottish Government Records Management Health & Social Care Code of Practice (Scotland) 2020.

The NHS Code of Practice sets out minimum retention periods for information, including personal information, held in different types of records including personal health records and administrative records. As directed by the Scottish Government in the Records Management Code of Practice, we maintain a retention schedule which details the minimum retention period for the information and procedures for the safe disposal of personal information.

9 – How we protect personal information

We take care to ensure your personal information is only accessible to authorised people. Our staff have a legal and contractual duty to keep personal health information secure, and confidential. The following security measures are in place to protect personal information:

  • All staff undertake mandatory training in Data Protection and IT Security
  • Compliance with NHS Scotland Information Security Policy
  • Organisational policy and procedures on the safe handling of personal information
  • Access controls and audits of electronic systems.
10 – Your rights

This section contains a description of your data protection rights within NHSGGC.

The right to be informed

NHSGGC must explain how we use your personal information. We use a number of ways to communicate how personal information is used, including:

  • This Data Protection Notice
  • Information leaflets
  • Discussions with staff providing your care.

The right of access

You have the right to access your own personal information.

This right includes making you aware of what information we hold along with the opportunity to satisfy you that we are using your information fairly and legally.

You have the right to obtain:

  • Confirmation that your personal information is being held or used by us
  • Access to your personal information
  • Additional information about how we use your personal information.

Although we must provide this information free of charge, if your request is considered unfounded or excessive, or if you request the same information more than once, we may charge a reasonable fee.

If you would like to access your personal information, you can do this by contacting:

Write to:
Health Records Legal Manager
NHS Greater Glasgow and Clyde
Admin Building Level 2
Gartnavel Royal Hospital
1055 Great Western Road
Glasgow
G12 0XH

Email: ggc.legalaspectsnorth@nhs.scot
Call: 0141 211 3855

Once we have details of your request and you have provided us with enough information for us to locate your personal information, we will respond to your request without delay, within one month (30 days). However If your request is complex we may take longer, by up to two months, to respond. If this is the case we will tell you and explain the reason for the delay.

For further information on how to access your health records please go to our ‘Access to Records/Seeing your notes’ page.

The right to rectification

If the personal information we hold about you is inaccurate or incomplete you have the right to have this corrected.

If it is agreed that your personal information is inaccurate or incomplete we will aim to amend your records accordingly, normally within one month, or within two months where the request is complex. However, we will contact you as quickly as possible to explain this further if the need to extend our timescales applies to your request. Unless there is a risk to patient safety, we can restrict access to your records to ensure that the inaccurate or incomplete information is not used until amended.

If for any reason we have shared your information with anyone else, perhaps during a referral to another service for example, we will notify them of the changes required so that we can ensure their records are accurate.

If on consideration of your request NHSGGC does not consider the personal information to be inaccurate then we will add a comment to your record stating your concerns about the information. If this is case we will contact you within one month to explain our reasons for this.

If you are unhappy about how NHSGGC has responded to your request for rectification we will provide you with information on how you can complain to the Information Commissioner’s Office, or how to take legal action.

The right to object

When NHSGGC is processing your personal information for the purpose of the performance of a task carried out in the public interest or in the exercise of official authority you have the right to object to the processing and also seek that further processing of your personal information is restricted. Provided NHSGGC can demonstrate compelling legitimate grounds for processing your personal information, for instance; patient safety or for evidence to support legal claims, your right will not be upheld.

Other rights

There are other rights under current Data Protection Law however these rights only apply in certain circumstances. If you wish further information on these rights download our Data Protection Notice – Other rights (PDF) document.

The right to complain

NHSGGC employ a Data Protection Officer to check that we handle personal information in a way that meets data protection law. If you are unhappy with the way in which we use your personal information please tell our Data Protection Officer using the contact details below.

Write to:
Stewart Whyte
Data Protection Officer
NHS Greater Glasgow and Clyde
1 Smithhills Street
Level 2
Paisley PA1 1EB

Email: Data.Protection@ggc.scot.nhs.uk
Call: 0141 278 4774

You also have the right to complain about how we use your personal information to the Information Commissioner’s Office (ICO).

Details about this are on their website at www.ico.org.uk.

11 – Child Friendly Privacy Notice

What is a Privacy Notice?

A privacy notice helps us tell you how NHS Greater Glasgow and Clyde use information we hold about you, like your name, address, date of birth and all of the notes the doctor or nurse makes about you in your health record.

From the age of 12 years old the law allows you to make some decisions about what we do with your information. In some situations we should ask your permission if we want to do anything with your information (this is known as processing). You can still ask an adult (like your Mum or Dad) for help with this if you don’t understand what we are asking you.

Why do we need one?

We need a privacy notice to make sure we meet the rules which are written in a law called the UK General Data Protection Regulation (UK GDPR for short).

What is the UK GDPR?

The UK GDPR is a rule that was introduced in 2021. It gives us guidelines to follow and provides you with a list of your rights, like:

  • The right to be told how we use your information
  • The right to be told how we make sure that the information is kept safe
  • The right to ask to see the information we hold
  • The right to ask us to change information you think is wrong.

What information do we collect about you and how do we use it?

We collect personal information so we know who you are and other types of information to manage a patient’s health – such as your name, address, information about your parents or guardians, records of appointments, visits, telephone calls, your health record, treatment and medicines, test results, X-rays and any other information to enable us to care for you.

We might need to share this information with other medical teams in hospitals, for example, if you need to be seen by a special doctor or sent for an X-ray. We may be asked to help with exciting medical research but we will always ask you, or your parents or adults with parental responsibility, if it’s okay to share your information.

How do we keep your information safe?

Everyone working in the NHS knows that they need to keep your information safe. Especially the information which identifies you; this might be your name or address and anything that you come to see us about. We are not allowed to share this type of information with anyone that shouldn’t see it. This includes talking to them about it.

How can you see the information that we hold?

Under the new UK GDPR you are allowed to ask to see your health records whenever you like, we call this a Subject Access Request (SAR for short). This is normally free. To be able to see your records you will need to contact us, you can phone, email or write to us. We will ask you for some basic details so that we can make sure that we are giving this information to the right person. We will check with the doctor that it is okay for us to give you your health record and once the doctor has agreed we will give you the information within 1 month of you asking us.

After seeing your health record if you think that any of the information you see is not correct, you can ask for this information to be taken out or corrected. This can only be done if we are 100% sure that the information is NOT correct.

What if you don’t want your information to be shared?

All of our patients, no matter what their age, can in some circumstances say that they don’t want us to share their information. If you are older than 12 and understand this decision, you are allowed to make the decision by yourself. If you’re not sure about something, you can always ask us or another adult you trust.

What should I do if any of my information changes?

It is important that you tell us or any other person treating you if any of your details such as your name, address or contact details have changed. This is because we sometimes have to share your information with other people like healthcare staff or your own Doctor and we need to be sure that we are talking about the correct person.

What if I have questions?

If this doesn’t give you the information you need you can ask a member of medical staff or someone you trust.

What if I want to complain?

If you are not happy about how your information is being kept or shared, you can speak to our Data Protection Officer or a member of the Information Governance Team and explain why you want to complain. You can email us at data.protection@ggc.scot.nhs.uk

Would you like to know more?

We try to give you as much information as possible and we always make sure that the information we give you about how we use your data is up to date. Any updates will be published on this website www.nhsggc.scot

12 – Forensic Medical Service Data Protection Notice

Data Protection Notice

This data protection notice relates to the Forensic Medical Service (FMS).  It applies to personal information of all individuals who are referred by Police Scotland or who self-refer for a forensic medical examination (FME) following a rape or sexual assault.

Specifically, this notice applies to personal information processed as part of an FME to support your health and wellbeing and identify your healthcare needs.  It also applies to your personal information being used to support any criminal investigations and/or future prosecutions for Police Scotland referrals, or self-referrals (should you wish to report the incident to Police Scotland at a later date).

Data Controllers

For personal information processed in order to support your health and wellbeing and identify your healthcare needs, NHS Greater Glasgow & Clyde is the data controller:

J B Russell House,

Gartnavel Royal Hospital Campus

1055 Great Western Road

G12 0XH

Glasgow

For personal information collected in order to support any criminal investigation and future prosecution, Police Scotland is the data controller:

The Chief Constable of the Police Service of Scotland
Tulliallan Castle
Kincardine
Fife
FK19 4BE

What types of personal information do we process?

NHS Greater Glasgow & Clyde will process your personal information, including sensitive information as part of the FME.  For example – name, address, date of birth, postcode and information about your health such as risk of pregnancy and details of onward healthcare referrals made.  

Only forensic information collected as part of the FME will be used to support any criminal investigation and future prosecution (for self-referral should you wish to report the incident to Police Scotland at a later date).  We will not share your health information unless legally required to do so.  This information will be kept separately from your master health record.

Our purposes for processing your personal information

NHS Greater Glasgow & Clyde will process your personal information for the following purposes:  

  • To support your health and wellbeing and identify your healthcare needs
  • To collect evidence that would support any criminal investigation and future prosecution (for self-referral should you wish to report the incident to Police Scotland at a later date)

Our lawful basis for processing personal information

NHS Greater Glasgow & Clyde will only process your personal information where data protection law allows us to.  In order to support your health and wellbeing and identify your healthcare needs, we process your personal information under the following legal bases:

  • Personal Information: Article 6 (UK GDPR) 1(e) – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
  • Special Category Information: Article 9 (UK GDPR) 2(h) – processing is necessary for the purposes of medical diagnosis and the provision of health or social care.

In order to collect evidence that would support any criminal investigation and future prosecution (should you wish to report the incident to Police Scotland at a later date), we process your personal information in line with Part 3 of Data Protection Act 2018 and under the following legal bases:

  • Personal Information: Part 3, Chapter 2, Section 35 (DPA) 35 (2) (b): processing is necessary for the performance of a task carried out for that purpose by a competent authority.
  • Sensitive Processing: Part 3, Chapter 2, Section 35 (DPA) 35 (5) (a): processing is strictly necessary for law enforcement purpose.

Who provides the personal information?

Personal information will be provided either:

  • directly by you when you self-refer to the service.
  • on occasions where you are referred to us by Police Scotland, they will share information which is necessary to support you and Police Scotland’s ongoing investigation.

Sharing of personal information

NHS Greater Glasgow & Clyde will only share your information where there is a clear legal basis to do so:

  • We will share limited anonymous information with Public Health Scotland for the purpose of reporting on the operation of the Forensic Medical Service;
  • We may share information with relevant services/agencies as part of onward health related referrals;
  • Information provided by you will not be shared with Police Scotland unless you decide to report the incident to Police Scotland.  The exceptions to this are if you are:
  • under 16 years of age;
  • aged 17 or 18 years old and under the care of social work;
  • thought to be in imminent danger.
  • originally referred to the service by the police.  

We may also share information when there is a perceived threat to life to someone other than yourself. All health professionals are bound by the duty of confidentiality and their own professional regulatory body.

Security of your personal information

NHS Greater Glasgow & Clyde takes care to ensure your personal information is only accessible to authorised individuals.  Our staff have a legal and contractual duty to keep personal health information secure and confidential.  Set out below are some example security measures:

  • Access to your personal information is restricted to those who have a need to access it in order to carry out their legitimate duties.
  • All staff undertake mandatory training in Data Protection and IT Security.
  • Organisational policy and procedures on the safe handling of personal information.

Retaining personal information

NHS Greater Glasgow & Clyde will retain personal information collected to support your health and wellbeing and identify your healthcare needs in line with the Scottish Government Records Management Health & Social Care Code of Practice (Scotland) 2020.  

NHS Greater Glasgow & Clyde will retain personal information collected to support any criminal investigation and future prosecution. After a self-referral, should you wish to report the incident to Police Scotland at a later date, the information will be held for 26 months.

Your rights

You have a number of rights under the forensic medical service along with data protection law rights.  Specifically:

FMS Rights

  • The right to be informed: we will explain fully what may happen to evidence collected during a forensic medical examination.
  • The right to return of evidence: you have the right to request that any evidence gathered during the forensic medical examination is returned to you (that is, items which were worn or otherwise present during the incident which gave rise to the examination, but does not include for example, samples)
  • The right to destruction: you have the right to request that evidence is destroyed and will be allowed a 30 day cooling off period to allow you to change your mind.

Data Protection Rights

  • The right to be informed: we explain how and why we use your personal information;
  • The right of access: you have the right to access your personal information;
  • The right to rectification: if the personal information we hold about you is inaccurate or incomplete, you have the right to have this corrected;
  • The right to restrict processing: you have the right to request that further processing of your personal information is restricted;
  • The right to erasure: you have the right to request that your personal information is erased.  

Some rights are not absolute and only apply in certain circumstances. For more information on your rights please see: www.ico.org.uk.  If you would like to exercise your rights, you can contact the below team:

Data Protection Team
1 Smithhills Street
Paisley
PA1 1EB

Data.protection@ggc.scot.nhs.uk

Complaints about how we process your personal information

If you are unhappy about how NHS Greater Glasgow & Clyde has processed your personal information you can also contact the Data Protection Officer at the above address.

You also have the right to make a complaint to the Information Commissioner’s Office:

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Tel: 0303 123 1113

https://ico.org.uk/make-a-complaint/

13 – Research and Innovation

NHSGGC is a research active organisation. We work closely with other health and social care organisations, academic partners and industry to review, inform and improve health, care and services through research. As a publically funded organisation, the research and innovation undertaken in NHSGGC must be in the public interest and necessary for scientific research.

We may use information contained in clinical records for research on health conditions, treatments and care, to audit our services against agreed standards and to help develop and improve our services.

When we do this, there are processes in place to make sure that patient confidentiality and security issues are considered appropriately. Uses of patient information for research and development are always in the public interest and subject to strict transparency, proportionality, minimisation and anonymisation principles, in line with the Information Commissioner’s Office (ICO) guidance.

Some research and innovation may process personal information without patient consent. In Scotland, the Public Benefit and Privacy Panel may review the legal basis, transparency and safeguards required for this to be approved, or there can be local ethical review by an independent committee under the West of Scotland Safe Haven REC approval. Personal information processed for research purposes within the Safe Haven, including routinely collected health data and research application data, is usually pseudonymised prior to presentation to accredited researchers. For more information see the West of Scotland Safe Haven website.

For individual Health Boards, approval for participation in national research and development work or work within the Health Board itself is approved by the Board’s Caldicott Guardian, a senior person responsible for protecting the confidentiality of patient’s health and care information and making sure it is used properly.

Research can include the provision of data, including identifiable data, to national registries for long-term analysis of trends in particular conditions for the benefit of everyone. It can also include the aggregation (bringing together) of data from different parts of the health and social care system. However, the outputs of research are always anonymous, are not used to make decisions about you personally and safeguards will be put in place to help ensure the use of your data will never be harmful to you.

Health Boards may also take part in clinical trials however your consent will always be obtained in order for you to take part in a clinical trial. Once the information is used as part of the research study, your rights to access, change or move information may not apply because the integrity, reliability and accuracy of the research could be affected. If you withdraw from a study it may not be possible to remove information about you that has already been obtained.

The legal basis for carrying out Research and Development work with patient information is UKGDPR Article 6(1)(e) and UKGDPR Article 9(2)(j) in accordance with Schedule 1 Part 1 Paragraph 4 of the Data Protection Act 2018.

For more information on Research and Innovation please contact RandDPROJECTEMAILS@ggc.scot.nhs.uk

Accordion title 1

This is a placeholder tab content. It is important to have the necessary information in the block, but at this stage, it is just a placeholder to help you visualise how the content is displayed. Feel free to edit this with your actual content.

Accordion title 2

This is a placeholder tab content. It is important to have the necessary information in the block, but at this stage, it is just a placeholder to help you visualise how the content is displayed. Feel free to edit this with your actual content.