Privacy policy
This policy sets out how NHS Scotland uses and protects any information that you give us when you use this website.
What we collect
We may collect the following information:
- full name
- date of birth
- email address
- mobile number
- postcode
How we use your data
We use your data to:
- identify you
- provide a healthcare service
We may also use it for:
- internal record keeping
- improving our products and services
How we share your data
We sometimes use other organisations to process your personal information on our behalf. When we do, these organisations are bound by legal agreements to ensure your personal information is secure and used only for the purpose we stipulate.
We may need to share your personal information if we are required to do so by law.
How we protect your data
We take the security of your healthcare data seriously. We protect your data through:
- two-factor authentication
- system auditing functionality and procedures
- vulnerability scanning and anti-virus measures
- network security including firewalls and penetration testing
- encryption of personal data
- Cyber Essentials compliance
- system security policy and standard operating procedures
- ISO 27001 standard for information security compliance
- defined information security and related policies
- staff training in security and privacy best practice
- a documented incident management and reporting process
- physical security policies
Your data is securely stored in the European Economic Area (EEA). We'll update this notice if we transfer it outside the EEA.
How long we keep your data
We hold on to your information for as long as is reasonably necessary. This can depend on legal, regulatory, tax, accounting or technical requirements.
Cookies
When you use this service, we put small files called cookies onto your device.
We use Google Analytics cookies to collect information about how you use our platform and to help us make improvements to it. Cookies are not computer programs.
They do not collect or store your information, so we cannot identify you from them.
You can remove cookies from your device at any time. Your device will automatically delete expired cookies.
We do not allow Google to share our analytics data.
Your rights
You have the right to:
- request a copy of your personal data and other supplementary information
- correct errors or omissions in your personal data
Contact us to request a correction or a copy of your data.
Request your personal information is deleted
You can request that we erase your personal information where:
- it's no longer necessary for the purpose for which it was originally collected
- you have withdrawn consent
- you object to the processing and there’s no legitimate interest for us to continue
- your data was unlawfully processed or in breach of General Data Protection Regulation
- the data has to be erased in order to comply with a legal obligation
- the personal data is processed in relation to the offer of information society services to a child
We can refuse to comply to erase your data where it’s being used to:
- it's no longer necessary for the purpose for which it was originally collected
- exercise the right of freedom of expression and information
- comply with a legal obligation or for the performance of a public interest task or exercise of official authority
- for public health purposes in the public interest
- archiving purposes in the public interest
- inform scientific or historical research, or for statistical purposes
- the exercise or defence of legal claims
Object to processing
You can object to:
- data processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority, including profiling
- direct marketing, including profiling
- processing for purposes of scientific/historical research and statistics
Request we restrict our use of your personal information:
You have the right to request a restriction such as a temporary stop of the processing of your personal information where:
- you think the personal information is inaccurate and it should not be used until it's corrected
- we're using your personal information unlawfully and you want your personal information to be held by us but not processed whilst a complaint / investigation takes place
- you require us to keep your personal information and not delete it while you make or defend a legal claim
- you have objected to our use of your personal information and we do not have legitimate grounds to override your objection