Where we get personal data from

Information is collected whenever someone registers with a GP, or receives care in a hospital, clinic, other health or social care setting or from voluntary sector agencies. In Scotland, extracts of this information (which sometimes includes personal health and care information) are identified from individual records held by the health or care provider are coded and these codes sent securely through secure electronic messages to PHS. Therefore, PHS does not hold a full record of your care or interaction with the service provider as these are held locally with your service provider.

For our staff, personal data is collected during the recruitment process, when issuing contracts of employment, as well as when staff engage with training and personal development, occupational health, payroll and finance, staff surveys and information security.

PHS receives electronically coded information on the prescribing and dispensing of medicines from GPs, pharmacies and Pharmacy First. This helps us calculate, for example, how much money NHS Scotland will reimburse the pharmacists who dispensed your medicines and also report on prescribing and dispensing patterns in Scotland.

PHS receives extracts of hospital activity data from NHS Boards for purposes including benchmarking activity across a range of indicators to help support service improvements.

PHS receives information about infectious disease and environmental hazards to health from NHS staff, NHS Board public health departments, hospital laboratories and Local Authority environmental health departments etc.

PHS receives some extracts of social care information from local authorities which are used to inform planning of social care services and produce official statistics that produce insights in self-directed support, home care, care homes and community alarms/telecare as well as measure progress towards the national commitments in the Scottish Government’s strategic framework for supporting improvements in the delivery of palliative and end of life care across Scotland.

Personal data such as email address are also captured directly from members of the public who may choose to opt in and register to subscribe to our public health email updates, blogs, and newsletters which provide information and opinions on health inequality, weekly news stories, research activity, conferences and new publications of relevance to public health intelligence in Scotland. We may sometimes also capture email addresses when we consult with the public on various public health topic areas or seek feedback on the content, structure and usage of our website and publications. In all these cases, people will be able to unsubscribe or opt-out.

PHS works with staff in organisations such as NHS Boards, integration joint boards, GPs, hospitals, local authorities, voluntary groups and some other public sector organisations to share extracts of data securely and legally.

How long can we keep your personal data?

Information is held for as long as it is needed for processing, and in accordance with the Public Records (Scotland) Act 2011 and Records Management Code of Practice. We maintain a retention schedule detailing the minimum retention period for the information and procedures for the safe disposal of personal data. Please contact the data protection officer for information about data retention periods for any specific processing of data you are interested in and we will be happy to provide you with further information and give you reasons for the applied retention period.   

We often retain health information indefinitely, or until the specific data collection comes to an end and the dataset is no longer required, in accordance with our purposes of public interest in the area of public health such as epidemiology (monitoring trends in patterns of disease), to monitor the effectiveness of health interventions such as vaccination programmes, and to identify new and emerging infectious or environmental threats to the health of the population. These may involve understanding historic patterns over a long period in order to provide meaningful health intelligence and make better inferences about today and the future in order to protect the people of Scotland.

Keeping some personal data indefinitely complies with the ICO guidance which states that controllers may hold personal data indefinitely for statistical, historical research, and archiving purposes in the public interest. Where this is the case, the specific data protection impact assessment will state this and explain why, including the appropriate safeguards which have been put in place.

Last updated: 11 December 2024