The following notice applies from February 2023
1. About NHS Education for Scotland (NES)
NES is a public organisation created in Scotland under section 2 of the National Health Service (Scotland) Act 1978 (the 1978 Act). NES was set up by the NHS Education for Scotland statutory order, (2002, no. 103).
NES is a special health board within NHS Scotland. Our responsibility is developing and delivering education and training for the health and social care workforce. We are also the lead body for digital development in health and social care.
We are one of the organisations which form part of NHS Scotland (NHSS). Our headquarters are:
NHS Education for Scotland
Westport 102, West Port, Edinburgh, EH3 9DN
Data Protection Officer contact details
NES employs a Data Protection Officer to check that we handle personal information in ways that meet data protection law. Our Data Protection Officer is Tracey Gill who can be contacted at this email address:
Telephone: 0131 656 3200
Or through our Edinburgh postal address:
Westport 102, West Port, Edinburgh, EH3 9DN
We have notified the Information Commissioner that we process personal data. Our registration number is: Z7921413
The registration details are publicly available from the:
Information Commissioner’s Office (ICO)
Wilmslow SK9 5AF
To search the online ICO register, please see: Register of fee payers | ICO
Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).
As a controller we collect and use (process) the following kinds of personal data:
Special categories of personal data
We also handle special category (sensitive) information about:
As a data controller we use such data where needed in our role in health workforce development. For example, in mandatory monitoring of equality and diversity to ensure that NES is a safe place to work. We process data to ensure we meet legal duties embedded in policies like sick pay or equal opportunities.
As either a data controller or a data processor, NES also processes personal and special category personal data in its role as a lead digital provider for the provision of and management of health and social care systems and services, supporting NHS Boards in the delivery of health and social care treatment.
We hold and manage personal data for the:
To meet the law we may need to supply personal data to regulators if asked.
Use of third-party service providers
We use or work with contractors and other third-party service providers who will process personal data on our behalf.
Those third parties are our data processors and can only process your personal data on our instructions or with our agreement.
NES as data controller, is required to have a legal basis when using personal information.
NES considers that performance of our tasks and functions are in the public interest. So, when using personal information our legal basis is usually that its use is necessary for the performance of a task carried out in the public interest, or in the exercise of official authority vested in us.
In some situations, we may rely on a different legal basis; for example, when we disclose personal information to comply with a legal request (such as a court order), our legal basis is that its use is necessary to comply with the legal obligation.
Another example would be for compliance with a legal obligation to which NES is subject to.
When we are using more sensitive types of personal information, including health information, our legal basis is usually that the use is necessary:
On rare occasions we may rely on your explicit consent as our legal basis for using your personal information. When we do this, we will explain what it means, and the rights that are available, to you.
Dedicated privacy notices set out the details for each processing purpose.
When you do not provide information directly to us, we may hold it because we have received it from other individuals and bodies involved in the delivery of health and care services in Scotland. These include other NHS boards or public bodies and suppliers of goods and services.
We will share personal data with others (‘third parties’) where necessary, including:
We accept that the duty to share information can be as important as the duty to protect confidentiality and have agreed to the intra-NHS Scotland Information Sharing Accord.
We also share personal data where required to do so by law.
NHS Education for Scotland is required by law to protect the public funds it administers. It may share information provided to it with other bodies responsible for auditing or administering public funds, in order to prevent and detect fraud and other crime. Further information is available here.
NES does not routinely transfer any data outside of the UK, but when information is transferred outside the UK we will do so in full compliance with the NHS Scotland Information Security Policy. NES will ensure that data is only transferred to countries where appropriate data protection safeguards are in place.
We only keep your information for as long as is necessary to fulfil the purposes for which the personal information is collected.
This includes for the purposes of meeting any legal, accounting, or other reporting requirements or obligations.
The NHS Scotland retention policy sets out the minimum retention timescales. Please see: Scottish Government Records Management: Health and Social Care Code of Practice (Scotland) 2020. Privacy notices for each processing purpose set out retention details.
In some circumstances we will anonymise your personal information so that it can no longer be associated with you. We are allowed to use such de-personalised information without further notice to you.
We take care to ensure your personal information is only accessible to people with the need and right to know. Our staff have a legal and contractual duty to keep personal health information secure, and confidential. The following security measures are in place to protect personal information:
NES is compliant with the Network and Information Systems (NIS) Regulations 2018 (UK) as an operator of essential services. We are currently working towards Cyber Essentials certification.
We have put in place procedures to deal with any suspected data breach and will notify you and the regulator of a suspected breach where legally required.
This section contains a description of your data protection rights within NES.
The right to be informed
NES must explain how your personal data is used. We communicate how personal information is used in several ways, including:
For a list of our websites, portals, and third-party online tools and their privacy notices and terms and conditions, please see the tabs at the top of this page, and the links in the final section of this notice.
The right of access
You have the right to ask NES whether it is your processing your personal data. Where we are, you have the right to access the personal data, and be told the:
Taking this step is called making a subject access request.
We must provide this information free of charge. However, if you request more than one copy we may charge a reasonable administrative fee.
When you make a subject access request we ask for proof of identity such as a passport, photo ID driving license, or evidence of address. Once we have details of your request and you have given us enough information to find your personal data, we must respond without delay, within one month (30 days).
If your request is complex, we may take longer to respond - up to two months. If this is going to happen, we will tell you before the first month is up and give a reason.
If you would like to see information we hold about you, please complete the 'NES Subject Access Request Form' (doc).
This should be returned to:
You do not have to use this form, but it ensures you give us the details that speed processing. You can also post a request to:
Data Protection Officer, NHS Education for Scotland, Westport 102, West Port, Edinburgh, EH3 9DN
The right to rectification
If the personal information we hold about you is inaccurate or incomplete you have the right to have this corrected (rectified).
If it is agreed that your personal information is inaccurate or incomplete, we will amend your records within one month - or two months where the request is complex. We will contact you quickly to explain any need to extend the timescale in this way.
If NES does not agree that your personal information is inaccurate, we will add a comment to your record stating your concerns about the information. Where this is the case, we must contact you within one month and give our reasons.
If you are unhappy about how we have responded to your request for rectification, we will give you information on how to complain to the Information Commissioner’s Office, or to take legal action.
The right to object
When NES is processing your personal information for the performance of a task carried out in the public interest or in the exercise of official authority you have the right to object to the processing, or to seek restriction of further processing.
Where NES can show compelling legitimate grounds for processing your personal information, for instance; patient safety or for evidence to support legal claims, your right to object will not be upheld.
The right to complain
NES employs a Data Protection Officer to check that we handle personal information in ways that meet data protection law. If you are unhappy with the way in which we use your personal information, please tell our Data Protection Officer.
You have the right to raise concerns about the handling of your personal data with the Information Commissioner:
Other rights under data protection law only apply to certain cases. These rights include:
This the right to request that we delete or remove personal information if there’s no compelling reason for us to continue using it. The right applies if processing is:
We can refuse to deal with your request for a number of reasons, including a need to:
The right only applies when you submit your personal information directly to us by electronic means and our legal basis for processing the information is consent or contract. This means that in most circumstances the right to data portability does not apply within NES. Where it applies, you are entitled to:
You have the right to object to any instances where a decision is made about you solely by automated means without any human involvement. This could include profiling. NES does not make decisions using wholly automated means in a way currently covered by data protection law.
A cookie is a small data file that certain websites write to your hard drive when you visit them. This NES site uses various types of cookie. These cookies are used to make our websites run more efficiently.
They also allow our web server to remember and store your preferences as you travel around our pages.
Google Analytics cookie. This stores the domain name (hash code) of site, pages viewed this session, current time.
Google Analytics cookie. This stores the domain name (hash code) of site.
At end of session
Google Analytics cookie. This stores the domain name (hash code) of site, a unique visitor id (randomly generated number), time of first visit, time of previous visit, current time, number of sessions since first visit.
Google Analytics cookie. This stores the domain name (hash code) of site, time when cookie last set, total number of visitor sessions, number of different channels or sources through which this site was reached, source of the last cookie update, search hit tag identifier (or just 'organic' if reached via normal search hit), search medium, keyword phrase used to find site.
This stores the name of the site (www.nes.scot.nhs.uk), the current time and the expiry time of the cookie. This cookie is used to test whether the visitor has accepted the cookie message.
datr, fr, wd
We use Facebook pixel to help us understand the users of our website and to make our marketing and advertising campaigns more engaging and relevant to them.
Collection and use of technical information
Technical details in connection with visits to this website are sometimes logged and collected in the Turas Hosting platform (Microsoft Azure).
We will make no attempt to identify individual users. However, access to web pages will generally create log file entries in the systems of your Internet Service Provider (ISP) or network services provider.
Log files of all requests for files on Microsoft Azure may be maintained and analysed. Aggregated analyses of these log files are used to monitor website usage. These analyses are used to allow us to monitor and evaluate the effectiveness of our websites. All log file information collected by NES is kept secure and is not provided to any third parties.
Every NHS organisation has a Caldicott Guardian charged with ensuring patient identifiable information is protected in our work. The NES Caldicott Guardian is:
Dr David Felix
Postgraduate Dean of Dental Education • Dental
NHS Education for Scotland
Edinburgh EH3 9DN
We keep our privacy notices under regular review. If there are any changes we will update this page to tell you, for example, about any new uses of personal data.
Check this page to make sure you are aware of what information we collect, how we use it and the circumstances in which we may share it with other organisations.
From time to time, we may also tell you in other ways about the processing of your personal data.
Eyecare Privacy Notice [PDF]
ReSPECT Privacy Notice [PDF]
Vaccinations [Covid, Pertussis, Seasonal, Travel etc]
By recording consent to receive any NES newsletter, you understand that Mailchimp will be responsible for storing and managing your name and email address. You can unsubscribe from this service at any time by clicking on the link at the foot of each newsletter. Or contact us at:
Questback is an online survey tool used to improve the services and resources offered by NES.
The purpose of each survey and how your data is used will always be stated within the survey form. By completing and submitting a survey, you show you understand that Questback will be responsible as a data processor for storing and managing your personal data.
We do not use Questback to collect special category personal data.
To request removal of your details, email us at:
You have the right to complain about how we use your personal information to the Information Commissioner's Office (ICO).
Details about this are on their website at https://ico.org.uk/your-data-matters/how-to-make-a-data-protection-complaint/.
You also have the right to seek independent judicial remedy through the courts.