Data protection law governs the use of personal data and gives you the following rights, where applicable:
Right to be informed
You have the right to be informed about the collection and use of your personal data. This privacy notice sets out how we use personal data in Public Health Scotland. Where necessary, we also provide additional information about specific information systems on information leaflets which are meant to better inform individuals whose data we are processing.
Right of access
This is commonly referred to as ‘subject access’. You have the right to request access to personal data we hold about you if it is not subject to any access restrictions under data protection law. PHS has processes in place to ensure that we respond to subject access requests without undue delay and within a month of receipt of the request. We may extend the time to respond by a further two months if the request is complex or if we have received a number of requests from you. We are required by law to take steps to confirm your identity before the information is provided.
Right to rectification
If the personal data we hold about you is proved to be inaccurate or incomplete, you have the right to have this corrected. We will take steps to verify the accuracy of the information and will respond within a month. If we cannot comply with your request, we will explain why. If we plan to comply with the request, we will rectify the information and tell you when we do so. As we may not have collected the data directly from you and not involved in your direct care, we are likely to direct the request to the supplier of the data to PHS for consideration as well.
Right to erasure
(‘right to be forgotten’)
You can ask us to have your data erased in certain circumstances, such as when you have consented to subscribe to our newsletter or if the data are being processed unlawfully. For most of our processing of personal data in PHS, this right may not apply. This is because we may be processing your personal data for purposes related to complying with a legal obligation, or performing a public interest task, or public health purposes in the public interest, or scientific research, historical research or statistical purposes, or in relation to establishing, exercising or defending legal claims. In these circumstances data protection law enables us to set this right aside.
Right to restrict processing
You have the right to ask us to restrict or suppress your personal data in certain circumstances, for example, if you are awaiting the outcome of your rectification request. PHS will consider each request on a case-by-case basis. However, if the personal data are being used, for example, to calculate total numbers of people using a health or social care service for our national statistics outputs, where no individual is identified in the outputs, data protection law permits us to continue to process your personal information.
Right to data portability
The right to data portability allows you to obtain and re-use your personal data for your own purposes across different organisations. It allows you to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way. An example of this in practice would be when consumers take advantage of applications and services which use their information to find them a better deal such as an energy switching service. The right to data portability only applies when you submit your personal data directly to us, through electronic means.
This means that in most circumstances the right to data portability does not apply within PHS. However, where our legal basis for processing your personal data is consent, or we are performing a contract, then we will supply you with the information you hold or transfer it to another organisation of your choice. PHS currently does not offer any direct input of personal data by the public through electronic means; but this may change in the future.
Right to object
You have the right to object to the processing of your personal data in certain circumstances. However, this right will be set aside if PHS can demonstrate, for example, that it is processing your personal data on the legal basis of scientific or historical research, or statistical purposes.
Rights related to automated individual decision-making, including profiling
You have the right not to be subject to a decision based solely on automated processing, including profiling which has legal or other significant effects on you. In PHS we carry out profiling in the course of our statistical work to improve health and social care. Profiling may include, for example, determining geographical boundaries where individuals within defined age groupings live with certain types of cancer clusters so as to understand patterns of cancer incidence and prevalence across the population. However, solely automated decisions about you are not taken based on this profiling. Some examples of our statistical work are:
- Comparing statistics on rates of illness or early death between people living in the poorest areas and people living in the wealthiest areas
- Analysing and predicting demand for Accident & Emergency (A&E) department services to enable NHS Boards to plan their workforce numbers to respond to the demand.
- Analysing patient data and reporting on progress towards the various national waiting times targets in order to monitor performance of NHS Boards.
- Producing clinical profiles on medical and surgical activity and outcomes in Scotland which are made available to the appropriate clinical staff to stimulate reflective clinical practice and facilitate improvements in the care of patients.
- Reporting on incidents of heart attacks, including age profile of patients, discharge rates and survival rates. This can provide evidence of progress against the priority areas in the national heart disease improvement plan
- Generating hospital readmission risk scores for individual people, based on linked health and care data, that may be used to inform, but not determine, ongoing individual care planning.
Contacting the data protection officer
If you would like to exercise any of your rights as described above, please contact the PHS Data Protection Officer at the address given below. Given that all the rights are qualified rights, you will be advised whether the right applies and therefore has no exemption under data protection law; and, if so, you will be informed what steps are being taken to uphold your right.
For all of the rights above, we will inform you of our decision within a month of receipt of the request and may extend the time to respond by a further two months if the request is complex or if we have received a number of requests from you. If we are unsure about your identity, we are legally required to take steps to confirm your identity before the request is carried out.
We work to high standards and take our legal responsibilities very seriously when it comes to processing your personal data. If you have queries, concerns or complaints, please email the Data Protection Officer at firstname.lastname@example.org as this is the quickest way for us to respond to you Our address is:
Data Protection Officer
Public Health Scotland
1 South Gyle Crescent
Email address: email@example.com
Telephone: 0131 275 6000
If you remain dissatisfied, you can make a complaint about the way we process your personal data to the Information Commissioner’s Office. Details about this are on their website at www.ico.org.uk or call them on 0303 123 1113 (local rate call).