This page provides details about the various personal information we request, obtain and store, our purposes for using that information, who provides us with it, how we protect it, and more.
If you have any questions or concerns about information we hold, please see section 10 - 'Your Rights'
11 - Child Friendly Privacy Notice (added 27/04/21)
NHS Greater Glasgow & Clyde (NHSGGC) is a public organisation created in Scotland under section 1 of the National...
NHS Greater Glasgow & Clyde (NHSGGC) is a public organisation created in Scotland under section 1 of the National Health Service (Scotland) Act 1978 (the 1978 Act). It is one of the organisations which form part of NHS Scotland (NHSS).
NHSGGC is the data controller of the personal data it processes for the purpose of the Data Protection Act 2018 along with the General Data Protection Regulation (GDPR) and is registered as a data controller with the Information Commissioner under Notification No Z8522787.
For the purposes of data being processed in the Louisa Jordan Hospital for the Covid 19 Pandemic support, both NHS Greater Glasgow & Clyde and The Scottish Government will act as Joint Controllers of the data.
We use personal information on different groups of individuals including: Patients Staff Contractors Suppliers ...
We use personal information on different groups of individuals including:
The personal information we use includes information that identifies you like your name, address, date of birth and postcode.
We also use more sensitive types of personal information, including information about racial or ethnic origin; political opinions; religious or philosophical beliefs; trade union membership; genetic and biometric data, health; sex life or sexual orientation.
The information we use can relate to personal and family details; education, training and employment details; financial details; lifestyle and social circumstances; goods and services; visual images; details held in the patient record; responses to surveys.
Under the 1978 Act NHSGGC has the statutory responsibility to provide or arrange for the provision of a range of heal...
Under the 1978 Act NHSGGC has the statutory responsibility to provide or arrange for the provision of a range of healthcare, health improvement and health protection services. We are given these tasks so that we can help to promote the improvement of the physical and mental health of the people of NHSGGC and assist in operating a comprehensive and integrated national health service in Scotland.
We use personal information to enable us to provide healthcare services for patients, data matching under the national fraud initiative; research; supporting and managing our employees; maintaining our accounts and records and the use of CCTV systems for crime prevention.
NHSGGC, as data controller, is required to have a legal basis when using personal information. NHSGGC considers that ...
NHSGGC, as data controller, is required to have a legal basis when using personal information. NHSGGC considers that performance of our tasks and functions are in the public interest. So when using personal information our legal basis is usually that its use is necessary for the performance of a task carried out in the public interest, or in the exercise of official authority vested in us. In some situations we may rely on a different legal basis; for example, when we are using personal information to pay a supplier, our legal basis is that its use is necessary for the purposes of our legitimate interests as a buyer of goods and services. Another example would be for compliance with a legal obligation to which NHSGGC is subject to, for example under the Public Health etc (Scotland) Act 2008 we are required to notify Health Protection Scotland when someone contracts a specific disease.
When we are using more sensitive types of personal information, including health information, our legal basis is usually that the use is necessary:
On rare occasions we may rely on your explicit consent as our legal basis for using your personal information. When we do this we will explain what it means, and the rights that are available, to you. You should be aware that we will continue to ask for your consent for other things like taking part in a drug trial, or when you are having an operation.
We receive information directly from yourself or from other individuals and organisations involved in the delivery of...
We receive information directly from yourself or from other individuals and organisations involved in the delivery of health and care services in Scotland. These include other NHS Boards and primary care contractors such as GPs, dentists, pharmacists and opticians; other public bodies e.g. Local Authorities and suppliers of goods and services.
Depending on the situation, where necessary we will share appropriate, relevant and proportionate personal informatio...
Depending on the situation, where necessary we will share appropriate, relevant and proportionate personal information in compliance with the law, with the following:
During the COVID-19 (coronavirus) pandemic, personal data is used and shared by a number of NHS Organisations across Scotland, including Public Health Scotland and NHS National Services Scotland. Full details of how the data is used can be found at the links below:
It is sometimes necessary to transfer personal health information overseas for example if you require urgent medical ...
It is sometimes necessary to transfer personal health information overseas for example if you require urgent medical treatment abroad. When this is needed information may be transferred to countries or territories around the world. Any transfers made will be in full compliance with NHSScotland Information Security Policy.
Within NHSGGC we keep personal data as set out in the Scottish Government Records Management Health & Social Care...
Within NHSGGC we keep personal data as set out in the Scottish Government Records Management Health & Social Care Code of Practice (Scotland) 2020.
The NHS Code of Practice sets out minimum retention periods for information, including personal information, held in different types of records including personal health records and administrative records. As directed by the Scottish Government in the Records Management Code of Practice, we maintain a retention schedule which details the minimum retention period for the information and procedures for the safe disposal of personal information.
We take care to ensure your personal information is only accessible to authorised people. Our staff have a legal and ...
We take care to ensure your personal information is only accessible to authorised people. Our staff have a legal and contractual duty to keep personal health information secure, and confidential. The following security measures are in place to protect personal information:
This section contains a description of your data protection rights within NHSGGC. The right to be informed NHSGGC m...
This section contains a description of your data protection rights within NHSGGC.
NHSGGC must explain how we use your personal information. We use a number of ways to communicate how personal information is used, including:
You have the right to access your own personal information.
This right includes making you aware of what information we hold along with the opportunity to satisfy you that we are using your information fairly and legally.
You have the right to obtain:
Although we must provide this information free of charge, if your request is considered unfounded or excessive, or if you request the same information more than once, we may charge a reasonable fee.
If you would like to access your personal information, you can do this by contacting:
Health Records Legal Manager
NHS Greater Glasgow and Clyde,
Admin Building Level 2,
Gartnavel Royal Hospital,
1055 Great Western Road
Once we have details of your request and you have provided us with enough information for us to locate your personal information, we will respond to your request without delay, within one month (30 days). However If your request is complex we may take longer, by up to two months, to respond. If this is the case we will tell you and explain the reason for the delay.
For further information on how to access your health records please go to our 'Access to Records / Seeing your notes' page.
If the personal information we hold about you is inaccurate or incomplete you have the right to have this corrected.
If it is agreed that your personal information is inaccurate or incomplete we will aim to amend your records accordingly, normally within one month, or within two months where the request is complex. However, we will contact you as quickly as possible to explain this further if the need to extend our timescales applies to your request. Unless there is a risk to patient safety, we can restrict access to your records to ensure that the inaccurate or incomplete information is not used until amended.
If for any reason we have shared your information with anyone else, perhaps during a referral to another service for example, we will notify them of the changes required so that we can ensure their records are accurate.
If on consideration of your request NHSGGC does not consider the personal information to be inaccurate then we will add a comment to your record stating your concerns about the information. If this is case we will contact you within one month to explain our reasons for this.
If you are unhappy about how NHSGGC has responded to your request for rectification we will provide you with information on how you can complain to the Information Commissioner’s Office, or how to take legal action.
When NHSGGC is processing your personal information for the purpose of the performance of a task carried out in the public interest or in the exercise of official authority you have the right to object to the processing and also seek that further processing of your personal information is restricted. Provided NHSGGC can demonstrate compelling legitimate grounds for processing your personal information, for instance; patient safety or for evidence to support legal claims, your right will not be upheld.
There are other rights under current Data Protection Law however these rights only apply in certain circumstances. If you wish further information on these rights download our Data Protection Notice - Other rights (PDF) document.
NHSGGC employ a Data Protection Officer to check that we handle personal information in a way that meets data protection law. If you are unhappy with the way in which we use your personal information please tell our Data Protection Officer using the contact details below.
Data Protection Officer
Email: [email protected]
Phone: 0141 278 4774
Data Protection Officer
NHS Greater Glasgow and Clyde
1 Smithhills Street
You also have the right to complain about how we use your personal information to the Information Commissioner’s Office (ICO). Details about this are on their website at www.ico.org.uk.
What is a Privacy Notice? A privacy notice helps us tell you how NHS Greater Glasgow & Clyde use information we ...
A privacy notice helps us tell you how NHS Greater Glasgow & Clyde use information we hold about you, like your name, address, date of birth and all of the notes the doctor or nurse makes about you in your health record.
From the age of 12 years old the law allows you to make some decisions about what we do with your information. In some situations we should ask your permission if we want to do anything with your information (this is known as processing). You can still ask an adult (like your Mum or Dad) for help with this if you don’t understand what we are asking you.
We need a privacy notice to make sure we meet the rules which are written in a law called the UK General Data Protection Regulation (UK GDPR for short).
The UK GDPR is a rule that was introduced in 2021. It gives us guidelines to follow and provides you with a list of your rights, like:
• The right to be told how we use your information
• The right to be told how we make sure that the information is kept safe
• The right to ask to see the information we hold
• The right to ask us to change information you think is wrong
We collect personal information so we know who you are and other types of information to manage a patient’s health – such as your name, address, information about your parents or guardians, records of appointments, visits, telephone calls, your health record, treatment and medicines, test results, X-rays and any other information to enable us to care for you.
We might need to share this information with other medical teams in hospitals, for example, if you need to be seen by a special doctor or sent for an X-ray. We may be asked to help with exciting medical research but we will always ask you, or your parents or adults with parental responsibility, if it’s okay to share your information.
Everyone working in the NHS knows that they need to keep your information safe. Especially the information which identifies you; this might be your name or address and anything that you come to see us about. We are not allowed to share this type of information with anyone that shouldn’t see it. This includes talking to them about it.
Under the new UK GDPR you are allowed to ask to see your health records whenever you like, we call this a Subject Access Request (SAR for short). This is normally free. To be able to see your records you will need to contact us, you can phone, email or write to us. We will ask you for some basic details so that we can make sure that we are giving this information to the right person. We will check with the doctor that it is okay for us to give you your health record and once the doctor has agreed we will give you the information within 1 month of you asking us.
After seeing your health record if you think that any of the information you see is not correct, you can ask for this information to be taken out or corrected. This can only be done if we are 100% sure that the information is NOT correct.
All of our patients, no matter what their age, can in some circumstances say that they don’t want us to share their information. If you are older than 12 and understand this decision, you are allowed to make the decision by yourself. If you’re not sure about something, you can always ask us or another adult you trust.
It is important that you tell us or any other person treating you if any of your details such as your name, address or contact details have changed. This is because we sometimes have to share your information with other people like healthcare staff or your own Doctor and we need to be sure that we are talking about the correct person.
If this doesn’t give you the information you need you can ask a member of medical staff or someone you trust.
If you have access to the internet, you can also read more on the ICO website (www.ico.org.uk).
If you are not happy about how your information is being kept or shared, you can speak to our Data Protection Officer or a member of the Information Governance Team and explain why you want to complain. You can email us at [email protected]
We try to give you as much information as possible and we always make sure that the information we give you about how we use your data is up to date. Any updates will be published on our website at www.nhsggc.org.uk