Personal data is information that identifies you. It includes things like your name, address, date of birth and postcode.
If the information contains details of any health care you may have received, it may be referred to as ‘special categories of personal data’. This can include information such as care and treatment you have received and results of tests you have had, as well as health, lifestyle and cultural information such as ethnicity.
Why we need to collect and hold your personal data
There is a huge potential to make better use of information about people to improve health and social care services across the whole public health system. Information about you is essential for us to provide the evidence required for providing the best quality health and care services and addressing inequalities of health outcomes.
Having this information means that we can, for example:
- Better understand the links between avoidable illness and deaths in groups of people and social, lifestyle, environmental and health factors
- Find evidence to help address the avoidable differences in people’s health across the population and between specific population groups
- Find solutions for reducing the incidence of ill health and harmful lifestyles of people in our local communities
- Influence the actions being taken at national and local levels around health inequalities by describing the problem, understanding the causes, and evaluating interventions
- Assess how safe and effective a treatment is and provide evidence for improving patient safety
- Check that public money is being spent properly and report on current and future costs of healthcare services
- Provide evidence to show how government, healthcare and social care policies are working
- Plan how many beds, clinics, staff and types of additional services are needed
- Monitor the incidence and prevalence of particular diseases or illnesses or threats to public health such as flu, coronavirus, cancers, heart disease and strokes
- Carry out public health and clinical research to increase our knowledge and find workable solutions to our public health challenges
- Report on performance against national treatment standards and targets required by the Scottish Government and health and care providers
- Report on insights for improving the care of people with mental health problems e.g. people undergoing electroconvulsive therapy, post-diagnostic dementia support, access to psychological therapies and child and adolescent mental health services, and the factors which assist in suicide prevention
- By means of the Scottish cancer registry and related cancer information, assess the safety and effectiveness of cancer treatment, monitor particular cancers, carry out public health research for improving cancer care, report on national cancer treatment targets, all of which have huge benefits for patients with cancer today and the future
- Provide on-site expert analytical support to health and social care partnerships, local authorities, community planning partnerships, GP clusters, and the third sector in order to provide local decision makers with meaningful and actionable intelligence, leading to improved outcomes for service users and patients
Along with all NHS boards within the NHS Scotland, we use personal data to:
- Support and manage our employees
- Maintain our accounts and records
- Protect the public funds we administer
- Use CCTV systems and photo badge ID cards for crime prevention and security
- Support the administration of health and care services
What we do with your personal data
We use some of your personal and non-personal data to do statistical calculations and then create charts, graphs, tables, dashboards, and reports which help us to carry out our functions. We also publish open data on our open data portal which are available for use by anyone for information and re-use and they do not identify any individual.
We have legal a gateway for producing official statistics on any matter as set out in The Official Statistics (Scotland) Order 2008, The Official Statistics (Scotland) Amendment Order 2019 and the Statistics and Registration Service Act 2007. PHS publishes a range of statistics on various topic areas which are preannounced on its website. Details of the open data that PHS makes available can be found on the open data portal.
Our statistics comply with the Code of Practice for Statistics in terms of trustworthiness, high quality and public value. This also means that we keep data secure at all stages, through collection, processing, analysis and output production, and adhere to a ‘five safes’ framework:
- Safe people – all our staff undertake compulsory training in data protection and information security. They also have the technical skills to analyse the data, make sense of the outputs, find evidence, and report on the findings. Time-limited access to personal data in PHS is role based, with restrictions and authorisations in place, as well as monitoring of what is used.
- Safe projects – our staff require time-limited authorisation to access personal data and they have to justify the use of the data. Depending on the type of project, the request for access may be scrutinised by an external independent public benefit and privacy panel which includes patient representatives. This panel checks that we protect personal data and meet our legal obligations of data protection and confidentiality.
- Safe data – when our staff work with data we make sure we only use the minimum information required for us to undertake our role. What this means in practice is that, in some circumstances, for example, where some of our specialist staff are involved in understanding where there are clusters of certain types of cancers, they may be authorised to use personal data for their statistical analysis within our encrypted and secure computer servers.
- Safe settings – personal and special categories of personal data which are available in PHS are stored securely on secure servers which have certified security controls. We comply with the NHS Scotland Information Security Policy set out by Scottish Government. In some cases, data can only be accessed within the national safe haven which is a secure analytic environment with access to secure analytic software.
- Safe outputs – our outputs which have been created by using personal data undergo statistical checking and disclosure assessment to ensure that no individuals can be identified and that the outputs meet the highest confidentiality standards.
Proportionality is a key principle of data protection law that Public Health Scotland will adhere to in all information sharing. That is, we will process only the minimum adequate and relevant amount of information necessary. Approved statistical techniques to mask any identifiable parts of information will be carried out, wherever possible, to preserve the privacy of individuals and confidentiality of information.
We do most of our analysis with information that does not directly identify you, i.e. it does not hold your name, address and other immediately identifying information. There are times when we have to use information that could identify you. Here are some examples:
- Reviewing samples of health records to make sure the information held is accurate, as part of our data quality assurance function
- Linking information together so that the outcomes of a particular illness or disease can be monitored
- Providing information to an NHS Board about their patients or residents who have had treatment in other locations
- Monitoring health hazards for the people of Scotland by gathering surveillance information provided by laboratories, hospitals, GPs, NHS Boards, Local Authorities or voluntary sector agencies
- Managing exposure to health hazards and large outbreaks of infectious illness that may affect many people across Scotland, such as large flu outbreaks and pandemics
We only release information that could identify you directly when required or permitted by law; or when it can be shown that you gave your permission, for example, where you have given us permission to allow its use for clinical trials; or where disclosure is necessary to safeguard an individual, or others, or is in the public interest.
Depending on the situation, we may need to share personal information with others. If we do, we will only share appropriate, relevant, and proportionate personal information and we will comply with the law. Others could include:
- Current, past and potential employees
- Healthcare, social and welfare organisations
- Suppliers, service providers and legal representatives
- Auditors and audit bodies e.g. Audit Scotland as part of the national fraud initiative
- Educators and training bodies
- Regulatory bodies e.g. the General Medical Council
- Research organisations
- People making an enquiry or complaint
- Patients, care users and their authorised representatives
- Financial organisations and Her Majesty’s Revenue and Customs (HMRC)
- Trades unions
- Business associates
- Courts, tribunals and legal experts
- Security organisations, police forces and NSS counter fraud services
- Central and local government
- Voluntary and charitable organisations
- Scottish Workforce Information Standard System for national reporting of staff information
- Human Resources, occupational health, payroll, and line managers