Personal data processing

Public Health Scotland has responsibilities as a ‘data controller’. A data controller decides why and how personal data is used. This means that PHS will have a legal basis for using personal data.

Public Health Scotland processes information for the purpose of fulfilling its statutory functions and its services.  PHS also processes personal information where it has a legal basis to do so.

Legal obligation

In some cases, Public Health Scotland has a legal obligation to process personal data. For example, Section 15 of the Public Health, Etc. (Scotland) Act 2008 (as amended) requires PHS to share information in relation to notification of communicable diseases and this will include personal data about the person affected.

Public task

Public Health Scotland, which is set up to achieve better health and wellbeing outcomes for the population, will perform public tasks and functions which are in the public interest.  This means that the legal basis for collecting and using personal data will be that the information is needed for performing a task carried out in the public interest. Examples are monitoring important public health problems such as flu outbreaks and pandemics to find ways to contain them, cancer to report on, and better understand, its causes and to find ways to prevent it, and reporting on the health and care of the population of Scotland.


We may occasionally rely on consent for processing personal data. The most common example is using name and email address to provide an individual with electronic newsletters that they have opted in to receive. In such cases, clear instructions will always be available to the individuals explaining how to unsubscribe which will result in their personal data being deleted. We may also use consent to photograph individuals and small groups of individuals which may be used in our literature or other media. When we use consent we will explain what it means, and the rights that are available to you.

Legitimate interests

We may sometimes use the legal basis of legitimate interests; for example, using personal data to process payment to a supplier because the information is needed for the purposes of legitimate interests as a supplier of goods and services. Other examples are: using personal data to respond to the sender of an enquiry, request or complaint; using personal data for fraud prevention; using personal data for network and information security; taking photographs at large public events we may co-organise to capture the memory of the occasion and where it is not reasonably practicable to obtain consent from all those attending and where the rights of individuals are respected.


We may, on occasions, use the personal data of an individual within the terms of our contract agreement between that individual or organisation and PHS. Another example is the employment contract our employees have with PHS.

Special categories of personal data

There are certain categories of personal data which are classed as ‘special categories of personal data.’  These categories contain information about individuals that is more sensitive and includes information concerning health and ethnicity, among others. There are specific legal bases for the use of ‘special category personal data’ and the most common ones that PHS uses will be that the use is necessary for:

  • carrying out processing in the field of employment law
  • protecting the vital interests of an individual
  • establishing, exercising or defending legal claims or in the case of a court order
  • reasons of substantial public interest for aims that are proportionate and respect people’s rights
  • purposes of preventive or occupational medicine, the provision of health or social care or the management of health or social care systems and services. Examples include the development of secure information systems for collecting data that support our creation of official statistics, and the processing of data in relation to the provision of a staff occupational health service.
  • reasons of public interest in the area of public health such as protecting against threats to public health, e.g. COVID-19 pandemic, or ensuring high standards of quality and safety of health care and of medicinal products or medical devices
  • archiving, scientific or historical research purposes or statistical purposes with safeguards that ensure that the privacy of individuals is respected. This legal basis is the most common reason for PHS processing special categories of personal data. PHS is recognised in law as a producer of official statistics in Scotland and therefore may, where appropriate, apply the exemptions that exist in the Data Protection Act 2018 that will enable it to achieve its purposes in relation to this legal basis for processing. Statistics inform a vast range of decisions across society. They are a public asset in two senses: because they serve to inform public judgements and debate; and because they are based on information gathered about individuals and organisations. As such, they are part of the lifeblood of democracy and are in the public interest

Examples of statistics produced by PHS are:

  • the abortion statistics which are based on abortion data that PHS is legally obliged to process on behalf of Scotland’s Chief Medical Officer under the Abortion (Scotland) Regulations 1991
  • statistics on improving ethnic data collection for equality and diversity which are based on data PHS processes under its duties in relation to the equality Act 2010 (Specific Duties) (Scotland) Regulations 2012
  • annual delayed discharges statistics based on data we are obliged to process in order to support the national indicators for health and social care integration outcomes
Last updated: 06 October 2022