The What matters to you? website is managed by Healthcare Improvement Scotland, which is one of the organisations which form part of NHS Scotland. The functions and duties of Healthcare Improvement Scotland as prescribed in the NHS Scotland 1978 Act are to:
- support, ensure and monitor the quality of health care
- provide information about the availability and quality of services provided under the health service and by independent healthcare providers
- undertake evaluation and provision of advice to the health service on the clinical and cost effectiveness of new and existing health technologies including drugs.
This is a privacy notice to inform you about how we process any information we record about you. Process means to collect, store, transfer, use or otherwise act on. Data Protection Law, the Data Protection Act 2018 and the UK General Data Protection Regulation, requires us to tell you about your rights and our obligations to you with regards to the processing and protection of your personal data which we do by provision of this privacy notice.
Our Data Protection Officer (DPO) is Alison Winning. The DPO is independent and an expert in data protection. The DPO is the Healthcare Improvement Scotland point of contact with the Information Commissioner’s Office.
The Data Protection Act 2018 requires organisations to register a notification with the Information Commissioner’s Office to describe the purposes for which they process personal and sensitive information. Healthcare Improvement Scotland is registered as the data controller and our registration can be viewed online in the public register at: Register of fee payers.
About the personal information we use
This information notice tells you what to expect when Healthcare Improvement Scotland collects personal data. It applies to information we collect and use about:
- visitors to our websites
- job applicants and our current and former employees
- people who volunteer their time to work with us
- students who are on placement or work experience with us
- patient data we process as part of our core activities and statutory functions
- patient and service user experiences of health care provision
- professional experts and consultants
- surveys or consultations we conduct
- complainants and other individuals in relation to a complaint about our work or about an Independent Healthcare provider
- people who raise a patient safety or quality of care concern with us about an NHS Scotland service
- complainants and other individuals in relation to a data protection or freedom of information complaint or enquiry
- people who attend our events or use our services, e.g. those who subscribe to our newsletters or join an event held by us
- services who are required to register with us and are regulated by us
- people who contact us via email or social media
The personal information we use includes information that identifies you such as your name, address, date of birth and postcode.
We also use more sensitive types of personal information, including information about racial or ethnic origin; political opinions; religious or philosophical beliefs; trade union membership; health; and sex life or sexual orientation. This is termed special categories of personal data.
The information we use can relate to personal and family details; education, training and employment details; financial details; lifestyle and social circumstances; goods and services; visual images; details held in the patient record; and responses to surveys.
Who provides the personal information
When you do not provide information directly to us, we receive it from other individuals and organisations involved in the delivery of health and care services in Scotland. These include other NHS boards, public bodies, regulators or law enforcement bodies and suppliers of goods and services.
Our purposes for using personal information
We process personal information to enable us to support the improvement of healthcare services to patients, maintain our own accounts and records, promote our services, and to support and manage our employees, volunteers, students and health care professionals who deliver services throughout NHS Scotland.
Confidential personal information
In our role of enabling the people of Scotland to experience the best quality of health and social care, at times we have to obtain and work with confidential personal information. This is information which relates to an identifiable individual and which was obtained in circumstances which require it to be held in confidence.
We may obtain and use confidential information where it is necessary for us:
- to provide scrutiny of healthcare in Scotland, for example, to inspect or assess the quality of care provided within a specific service, including healthcare in prisons and in police custody
- to receive and share intelligence about the care systems across Scotland (particularly about the NHS) with other national agencies
- to deal with a complaint or a whistleblowing concern relating to a healthcare provider
- to gather the experiences of patients and service users for improvement purposes
People’s Experience and Research
We use research methods to engage patients, service users and members of the public as part of our person-centered approach to informing improvement and re-design activities across health and social care in Scotland.
We may undertake research as part of our core work programmes to help develop and improve NHS Scotland services. When we do this, there are processes in place to make sure that confidentiality and security issues are considered appropriately. Where this work involves using information from several healthcare providers it is normally scrutinised by the Public Benefit and Privacy Panel for Health and Social Care and in addition, some specific types of research may also require approval from a relevant research ethics committee.
We may, in any of our involving people activities, contract third party research organisations to undertake work on our behalf. Participants in the work will be informed when this is the case and be made fully aware of who is processing their personal data.
When you agree to take part in an engagement activity we may ask for your name, address, telephone number and/or email address, so we can invite you to take part and make the necessary arrangements. We may also collect equality monitoring information, such as age, sex, religion, and ethnicity, to make sure we gather feedback from people from a range of backgrounds and contexts. We will also use your contact details to let you know when there may be potential reports or case studies from the activity you took part in.
When you participate in any engagement activities, your answers will be held separately from your personal information. All information you provide, and your replies will be stored separately from your name and contact details. Your participation will be kept strictly confidential.
The outputs of service improvement and research are anonymous unless you consent to your personal information being shared at publication stage as part of our knowledge sharing activities.
The information we hold will not be used for any other purpose except for the piece of work you have agreed to.
Your personal information will not be used for marketing or other purposes, nor will your information be shared with third parties apart from those under contract to HIS (Healthcare Improvement Scotland) to support the delivery of the work. Your information will be kept as long as is necessary for the purpose you have agreed to.
Visitors to our websites
When you visit our websites, your computer will automatically be issued with a number of small text files known as “cookies”. These cookies are used to make our websites run more efficiently, and allow our web server to remember and store your preferences as you travel throughout our sites. We also use cookies to track visitor interaction with our websites. We use a third party service, Google Analytics, to collect standard internet log information and details of visitor behaviour patterns anonymously. This information is used by Healthcare Improvement Scotland to make improvements to our websites and their usability. Find out more about how we use cookies
To opt out of being tracked by Google Analytics across all websites visit: http://tools.google.com/dlpage/gaoptout
Our legal basis for using personal information
Healthcare Improvement Scotland, as controller, is required to comply with the Data Protection Act 2018 and the UK General Data Protection Regulation and have an appropriate legal basis when using personal information. We consider that performance of our tasks and functions are in the public interest.
When using personal information our legal basis is usually that its use is necessary for the performance of a task carried out in the public interest, or in the exercise of official authority vested in us.
In some situations we may rely on a different legal basis; for example, compliance with a legal obligation to which we are subject. For example, under the Public Finance and Accountability (Scotland) Act 2000 we are required to provide Audit Scotland with specific data sets on a regular basis.
When we are using more sensitive types of personal information, including confidential personal information, our legal basis is usually that the use is necessary:
- for the provision of health or social care or treatment or the management of health or social care systems and services; or
- for reasons of public interest in the area of public health; or
- for reasons of substantial public interest for aims that are proportionate and respect people’s rights, for example research.
On occasion we may rely on your consent as our legal basis for using your personal information. When we do this we will explain what it means, and the rights that are available, to you.
We also process data for ‘law enforcement purposes’ as prescribed by Part 3 of the Data Protection Act 2018 in order to deliver our regulation of independent healthcare duties.
The HIS Appropriate Policy Document details how we protect special category and criminal offence data which we process when the following conditions are met:
- we are processing personal data which is the subject of Articles 9 or 10 of UK GDPR
- we are processing the personal data in reliance of a condition listed in Parts 1,2 or 3 or Schedule 1 of the DPA
- the condition listed in Parts 1, 2 or 3 Schedule 1 includes a requirement for the data controller to have an APD – some of the Schedule 1 conditions for processing special category and criminal offence data require us to have an APD in place, setting out and explaining our procedures for securing compliance with the principles in Article 5 and policies regarding the retention and erasure of such personal data
- this document explains our processing and satisfies the requirements of Schedule 1, Part 4 of the DPA 2018
Providers that process data on our behalf
HIS uses Microsoft 365 services as part of an NHS Scotland national contract.
HIS data within the M365 environment is handled in line with national impact assessments and acceptable use policies. We undertake individual impact assessments where required by data protection legislation related to specific use of the M365 apps for specific purposes related to our work.
MS365 Teams Meetings including recording and transcription
If you attend an event, meeting, or training session where we use MS Teams which is recorded and/or transcribed using MS365 you will receive a privacy notice specific to the purpose of the event, meeting, briefing or training session.
Personal information recorded or transcribed in the MS365 Teams environment relates either to directly consenting participants in recorded meetings or to data where Healthcare Improvement Scotland has an established legal basis for processing.
The categories of personal information held in relation to recordings and transcriptions are name, job title, organisation, image and personal contributions to the business or professional development event.
The recording could contain your:
- video stream (including images of yourself) if you choose to enable your camera during the meeting.
- audio stream, if you choose to enable your microphone during the meeting; this could include any opinions you contribute and anything you say about yourself
- chat contributions within the meeting could also be captured in the meeting recording
e-Newsletter
We use a third party provider, Mailchimp, to deliver our monthly e-newsletters for Healthcare Improvement Scotland and specific business units such as Community Engagement and iHub.
Mailchimp uses click and open rate monitoring which allows Healthcare Improvement Scotland to record how many of the emails we send are opened and how many successfully delivered emails registered at least one click. We record and use this data to inform activities at an aggregated level. Individual subscribers to our newsletters are not monitored and subscriber details are only accessible to the HIS mailchimp account holders. Further information on click and open rates is available on the Mailchimp site.
The Mailchimp privacy policy provides wider information the companies handling of information.
Blog
The corporate blog is provided by WordPress. Cookies and anonymised analytics are used on this site to improve the visitors experience and to provide feedback to Healthcare Improvement Scotland on visitors. Automattic Inc. provide WordPress and how they use data is outlined in their corporate privacy policy.
Social media
We routinely use Twitter, Facebook LinkedIn, YouTube, Vimeo and Wistia to provide information and communicate. We occasionally use Hootsuite to schedule tweets or Facebook posts. We do not collect any data via our social media accounts beyond the standard analytics available for each platform. Our policy on how we use social media provides additional information.
The standard privacy policies for the social media tools we use can be found below:
Twitter, Facebook, LinkedIn, YouTube, Hootsuite, Wistia, Vimeo
Event booking
We use Microsoft M365 Webinars, Eventbrite and Scottish Health Services Centre (SHSC) Events to manage our event bookings.
Eventbrite terms and conditions and privacy policy
Surveys
We use MS Forms and third party provider Smart Survey to gather feedback regarding our work, events and publications.
Smart Survey Terms of Use
Smart Survey privacy notice
Sharing personal information with others
Depending on the situation, where necessary we will share appropriate, relevant and proportionate personal information in compliance with the law, with the following:
- staff
- patients and/or members of the public, their chosen representative or carer
- current, past and potential employers
- healthcare, social and welfare organisations
- suppliers, service providers, legal representatives
- auditors and audit bodies
- educators and examining bodies
- education Institutions and providers
- research organisations
- people making an enquiry or complaint
- financial organisations
- professional bodies
- trade Unions
- business associates
- police forces
- security organisations
- central and local government
- voluntary and charitable organisations
- regulatory organisations
We will apply appropriate technical and organisational security measures to any transfers as detailed in our Information Security policy.
Transferring personal information abroad
When using independent third party online providers of event booking, newsletter and survey services that process data out with the European Economic Area (EEA) we check that their privacy notices assure personal data is processed in ways meeting data protection legislation requirements. You may wish to read the providers’ privacy notice before consenting to give them your personal information.
Eventbrite terms and conditions and privacy policy
Mailchimp terms and conditions and privacy policy
Retention periods of the information we hold
Within Healthcare Improvement Scotland we keep personal information as set out in the Scottish Government Records Management: Health & Social Care Code of Practice (Scotland) 2020.The NHS Code of Practice sets out minimum retention periods for information, including personal information, held in different types of records including personal health records and administrative records. As directed by the Scottish Government in the Records Management Code of Practice, we maintain a retention schedule detailing the minimum retention period for the information and procedures for the safe disposal of personal information.
How we protect personal information
We take our duty to protect your personal information and confidentiality seriously. We are committed to taking all reasonable measures to ensure the confidentiality and security of personal data for which we are responsible, whether electronic or on paper.
We take care to ensure your personal information is only accessible to authorised people. Our staff have a legal and contractual duty to keep personal health information secure, and confidential. Under the NHS Scotland Code of Practice on Protecting Patient Confidentiality all staff are also required to protect patient information.
The following security measures are in place to protect personal information:
- All staff undertake mandatory training in data protection and information security
- Organisational policy and procedures on the safe handling of personal information
- Access controls and audits of electronic systems
These resources plus support available from the information governance team ensure that staff members are aware of their responsibilities. Staff follow best practice on the necessary safeguards and appropriate use of person-identifiable and confidential information.
Everyone working for the NHS is subject to the common law duty of confidentiality. Information provided in confidence will only be used for the purposes advised and consented to by the service user, unless it is required or permitted by the law.
Every NHS organisation has a Caldicott Guardian charged with protecting patient identifiable information. Our Caldicott Guardian ensures patient privacy is protected in our work. He can be contacted as follows:
Dr George Fernie
george.fernie2@nhs.scot
Your rights
This section contains a description of your data protection rights within Healthcare Improvement Scotland.
The right to be informed
Healthcare Improvement Scotland must explain how we use your personal information. We use a number of ways to communicate how personal information is used, including:
- This Data Protection Notice
- Information leaflets
The right of access
You have the right to access your own personal information. This right includes making you aware of what information we hold along with the opportunity to satisfy you that we are using your information fairly and legally.
You have the right to obtain:
- confirmation that your personal information is being held or used by us
- access to your personal information
- additional information about how we use your personal information
Although we must provide this information free of charge, if your request is considered unfounded or excessive, or if you request the same information more than once, we may charge a reasonable fee.
Once we have details of your request and you have provided us with enough information for us to locate your personal information, we will respond to your request without delay, within one month (30 days). However if your request is complex we may take longer, by up to two months, to respond. If this is the case we will tell you and explain the reason for the delay.
The right to rectification
If the personal information we hold about you is inaccurate or incomplete you have the right to have this corrected.
If it is agreed that your personal information is inaccurate or incomplete we will aim to amend your records accordingly, normally within one month, or within two months where the request is complex. However, we will contact you as quickly as possible to explain this further if the need to extend our timescales applies to your request.
If on consideration of your request Healthcare Improvement Scotland does not consider the personal information to be inaccurate then we will add a comment to your record stating your concerns about the information. If this is case we will contact you within one month to explain our reasons for this.
If you are unhappy about how we have responded to your request for rectification we will provide you with information on how you can complain to the Information Commissioner’s Office, or how to take legal action.
The right to object
When Healthcare Improvement Scotland is processing your personal information for the purpose of the performance of a task carried out in the public interest or in the exercise of official authority you have the right to object to the processing and also seek that further processing of your personal information is restricted.
Provided Healthcare Improvement Scotland can demonstrate compelling legitimate grounds for processing your personal information, for instance; patient safety or for evidence to support legal claims, your right will not be upheld.
The right to complain
Healthcare Improvement Scotland employs a Data Protection Officer to check that we handle personal information in a way that meets data protection law. If you are unhappy with the way in which we use your personal information please tell our Data Protection Officer.
Other rights
There are other rights under current data protection law. However these rights only apply in certain circumstances. If you wish further information on these rights visit our further information page.
Where we process personal data for law enforcement purposes under Part 3 of the Data Protection Act 2018. Part 3 generally follows the requirements found in the UK General Data Protection Regulation. However, it takes also into account the operational needs of law enforcement agencies. Certain rights under the UK General Data Protection Regulation such as the right to object and the right to data portability, do not exist in Part 3 of the Data Protection Act 2018. Further, there are exemptions and restrictions that can, in some circumstances, be legitimately applied to prevent individuals from exercising rights. It is important to note that subject access rights and the rights to rectification, erasure and restriction do not apply to the processing of ‘relevant personal data’ in the course of a criminal investigation or criminal proceedings.
Contact information
If you wish to make a request to access your own personal information or make a complaint about the way we handle your information please contact:
Data Protection Officer
his.informationgovernance@nhs.scot
You also have the right to complain about how we use your personal information to the Information Commissioner’s Office (ICO). Details about this are on their website at http://www.ico.org.uk/
Freedom of Information
The Freedom of Information (Scotland) Act 2002 provides any person with the right to obtain information held by Healthcare Improvement Scotland, subject to a number of exemptions. If you would like to request some information from us, please send your request to the Information Governance Team. Personal and confidential information is often exempt from disclosure.