Skip to main content

Accessibility controls

Text size

Contrast

Multimedia

Looking after our community and providing excellent care

Your Information and How We Use It

NHS Orkney - Main Privacy Notice

About NHS Orkney

NHS Orkney is a public organisation created in Scotland under section 1 of the National Health Service (Scotland) Act 1978 (the 1978 Act). It is one of the organisations which form part of NHS Scotland (NHSS).

About the Personal Information we use

NHS Orkney use personal information on different groups of individuals including:

  • Patients
  • Staff
  • Professional experts and consultants
  • Suppliers
  • Complainants, enquirers
  • Survey respondents
  • Individuals captured by CCTV

The personal information we use includes information that identifies you like your name, address, date of birth and postcode.

We also use more sensitive types of personal information, including information about racial or ethnic origin; political opinions; religious or philosophical beliefs; trade union membership; genetic and biometric data, health; sex life or sexual orientation.

The information we use can relate to personal and family details; education, training and employment details; financial details; lifestyle and social circumstances; goods and services; visual images; details held in the patient record; responses to surveys.

Our Purposes for using personal information

Under the 1978 Act, NHS Orkney has a legal responsibility to provide and arrange for the provision of a range of healthcare, health improvement and health protection services. Using personal information is essential to run safe and effective services for the people of Orkney.

We use personal information to enable us to:

  • Provide Healthcare services for patients
  • Provide employment services for employees
  • Conduct research
  • Conduct disease monitoring within the community 
  • Maintain financial accounts and records
  • Use CCTV for crime prevention
  • Data matching under the national fraud initiative
  • Comply with the Forensic Medical Services (Scotland) Act

Our legal basis for using personal information

NHS Orkney, as a data controller, is required to have a legal basis when using personal information.

NHS Orkney considers that performance of our tasks and functions are in the public interest. So, when using personal information our legal basis is usually that its use is necessary for the performance of a task carried out in the public interest, or in the exercise of official authority vested in us.

In some situations, we may rely on a different legal basis; for example, when we are using personal information to pay a supplier, our legal basis is that its use is necessary for the purposes of our legitimate interests as a buyer of goods and services. Another example would be for compliance with a legal obligation to which NHS Orkney is subject to, for example under the Public Health etc (Scotland) Act 2008 we are required to notify Health Protection Scotland when someone contracts a specific disease.

When we are using more sensitive types of personal information, including health information, our legal basis is usually that the use is necessary:                                                                              

  • for the provision of health or social care or treatment or the management of health or social care systems and services; or
  • for reasons of public interest in the area of public health; or
  • for reasons of substantial public interest for aims that are proportionate and respect people's rights, for example research; or
  • in order to protect the vital interests of an individual; or
  • for the establishment, exercise, or defence of legal claims or in the case of a court order.

On occasion, we may rely on your explicit consent as our legal basis for using your personal information. When we do this, we will explain what it means, and the rights that are available to you. You should be aware that we will continue to ask for your consent for other things such as undergoing a specific test or procedure.

Who provides the personal information

Normally, the personal information we have about you has been provided directly by yourself. In some cases, we receive information from other individuals and organisations involved in the delivery of health and care services in Scotland. These may include family members, other NHS Boards, GPs, Dentists, pharmacists, opticians, local authorities or other suppliers of services.

Sharing personal information with others

Depending on the situation, and only where appropriate, we may share personal information with the following types of recipients:

  • Our patient and chosen representatives or carers
  • NHS staff
  • Healthcare, social and welfare organisations
  • Legal representatives
  • Auditors and audit bodies
  • Current, past and potential employers
  • Suppliers, service providers, professional advisors, and consultants
  • Educators and examining bodies
  • Medical researchers
  • Medical educational institutions (for example College of Nursing)
  • Professional bodies
  • Police or law enforcement organisations
  • Regulatory and government bodies.
  • Trade unions
  • Voluntary and charitable organisations.

When sharing information, NHS Orkney only provides the minimum information required and only if there is a legal basis for that, otherwise NHS Orkney will ask for your consent prior to sharing your data.

The law protects your confidentiality, and we will not share your personal information with others unless there is a clear legal basis to do so. Any information shared will be appropriate, relevant, and proportionate to the purpose of the sharing.

Transferring personal information abroad

It may sometimes be necessary to transfer personal information overseas.

When needed, information may be transferred to countries or territories around the world. Any transfers made will be in full compliance with the Data Protection regulations and with NHS Orkney Information Security Policy.

Retention periods for the information we hold

NHS Orkney keeps personal information as set out in the NHS Records Management Code of Practice (Scotland). This sets out the recommended retention periods for information, including personal information led in different types of records, including medical and administrative. As directed by the Scottish Government Records Management Code of Practice, organisations processing NHS information must:

  • Maintain a retention schedule detailing the retention periods by default for the information we process and have procedures for mandatory archival of records (when these apply).
  • Ensure the safe disposal of personal information.

NHS staff and subcontractors must follow these guidelines.

How we protect personal information

We take care to ensure your personal information is only accessible to authorised people. Our staff have a legal and contractual duty to keep personal health information secure, and confidential. We do this by:

  • ensuring all staff and subcontractors undertake mandatory training in data protection and IT security
  • ensuring compliance with the NHS Orkney Information Security Policy
  • following organisational policy and procedures on the safe handling of personal information
  • having access controls and audits of electronic systems
  • ensuring that organisations that process personal information held by NHS Scotland comply with Cyber Essentials® and work towards information security best practices, such us the ISO 27001 Standard

When planning the development of new information systems or services, NHS Orkney follows the principles of ‘Privacy by design’. This mean that we will always use your personal information appropriately.

Your rights

This section describes your data protection rights within NHS Orkney.

The right to be informed

NHS Orkney must explain how we use your personal information. To do this we have produced:

  • this data protection notice
  • patient information leaflets are available
  • Information on display screens around the Balfour

You can also speak to a member of staff involved in your care.

The right of access

You have the right to access your own personal information.

This right includes making you aware of what information we hold. It also gives you the opportunity to check that we are using your information fairly and legally.

You have the right to obtain:

  • confirmation that your personal information is being held or used by us
  • access to your personal information
  • additional information about how we use your personal information

We must provide this information free of charge, however in certain circumstances we may charge a reasonable fee or refuse to process your request such as:

  • if your request is considered unfounded or excessive
  • or if you request the same information more than once

If you would like to access your personal information, you can do this by contacting the relevant data controller (for example your local NHS Board or GP).

Once the relevant data controller has received your request and you have provided them with enough information for them to locate your personal information, they will respond to your request within one month. However, if your request is complex, they may take up to two months, to respond. If this is the case the data controller will explain the reason for the delay.

The right to rectification

If the personal information held by an NHS Scotland organisation, (the data controller) is inaccurate or incomplete, you have the right to have this corrected.

If it is agreed that your personal information is inaccurate or incomplete the data controller will aim to amend your records accordingly. The original information, along with an explanation of why information has been corrected or amended, must remain on our records as an audit trail.

The data controller will normally amend records within one month. If they need more time to do this, they will let you know. They may need another two months if the request is complex. In this case they will contact you as quickly as possible to explain why.

Where possible we will restrict access to your records to ensure that inaccurate or incomplete information is not used until amended. However, if your safety is at risk, we will continue allowing access.

If for any reason the data controller has shared your information with anyone else, perhaps during a referral to another service for example, they will notify them of the changes required so that we can ensure their records are also accurate.

If on consideration of your request the data controller does not consider your personal information inaccurate, they will add a note to your record stating your concerns about the information. If this happens, we will let you know why.

If you are unhappy about how an NHS organisation responds to your request for rectification you can complain to the Information Commissioner’s Office, or take legal action.

The right to object

You have the right to object to your information being used. NHS Scotland will consider your request and respond within one calendar month.

If NHS Scotland can demonstrate compelling legitimate grounds to use your personal information (for example, when it is needed for patient safety or as evidence to support legal claims) your right will not be upheld.

Other rights

You have other rights under current Data Protection Law. However, these rights only apply in certain circumstances, such as the right to erasure, right to restrict processing and the right to data portability,  More information on these rights can be found on the Information Commissioner’s Office website.

The right to complain

Every board in NHS Scotland has employed or nominated a data protection officer to check that they manage personal information in a way that meets data protection law requirements. If you are unhappy with the way in which we use your personal information, please contact your local data protection officer (details provided below).

You also have the right to complain to the Information Commissioner’s Office (ICO) about how we use your personal information.

Other languages and formats

This information can be provided in other languages and formats on request. The NHS inform helpline provides an interpreting service.

Staff Privacy Notice

Staff can access the Privacy notice via the link below:

Staff Privacy Notice

Your local NHS Data Protection Officer

If you have a data protection concern, please contact your NHS Orkney Data Protection Officer.

The Data Protection Officer for NHS Orkney is Iain Gray. You can write to Mr Gray at The Balfour, Foreland Road, Kirkwall, KW15 1NZ, telephone on 01856 888 220 or send an email to ork.dp@nhs.scot

Getting in touch

We shall be delighted to hear from you, so here are the various ways of contacting us:

The Balfour

By telephone to:
01856 888100
(during office hours)

01856 888000
(out of hours)

By e-mail to:
ORK.feedback@nhs.scot

By letter to the address below:

Foreland Road
Kirkwall
Orkney
KW15 1NZ