Privacy and Data Protection Notice

SOAR

About NHS Education for Scotland

NHS Education for Scotland (NES) is a public-sector body as set out in 2002 No. 103 National Health Service – the NHS Education for Scotland Order 2002. It is one of the organisations which form part of NHS Scotland (NHSS).

NES is an education and training body and a special health board within NHS Scotland, with responsibility of developing and delivering education and training for the healthcare workforce in Scotland.

What types of personal information is collected

NES holds and manages personal data for the administration and evaluation of training and education of health and social care professionals, for the employment of staff, for research and for related activities in support of our core purposes.

We process several categories of personal data, including:

  • Training management data: including contact details for trainees, educational history, placements and records of progress
  • Educational data: contact details, records of attainment, records of attendance
  • Employee data: contact details employment and educational history, leave records, management information, performance and appraisal information
  • Contact details for: contractors and suppliers, stakeholders, volunteers, organisational leads or contacts for specific activities
  • Equality and diversity data (where provided by individuals): race or ethnicity, religion, sexual orientation, disability

For SOAR, we process the following categories of personal data:

  • Name
  • GMC Number
  • Health Board
  • Medical Specialty
  • E-mail address
  • Contact details

What is the purpose of processing data

To enable the NES Medical Appraisal Team and authorised employees of your Health Board to arrange and facilitate your appraisal and supporting information required for revalidation

For those who also have the role of Appraiser, relevant details regarding training and activity as an appraiser will also be retained

What is the legal basis for using personal information

NES as a data controller and a data processor, is required to have a legal basis when using personal information. NES considers that performance of our tasks and functions are in the public interest. When using personal information, our legal basis usually is that its use is necessary for the performance of a task carried out in the public interest, or in the exercise of official authority vested in us.

For SOAR NES considers our legal basis for processing is:

  • Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. SOAR is recognised by SGHD as the secure electronic repository to be used by clinicians to record their appraisal and supporting documentation and declarations required in this process.
  • Processing is necessary for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights, or freedoms of the data subject.

Sharing the information

We will share personal data where appropriate and necessary with third parties such as employing NHS Boards and other employers, educational institutions and regulatory and professional bodies. We will also share personal data where required to do so by law.

For SOAR we may share your data with:

  • NHS Scotland Health Boards
  • Regulatory and professional bodies
  • Legitimate third parties such as Appraisal Leads and Responsible Officers

Transferring personal information abroad

SOAR will not transfer any of your personal data outside of the UK.

Retention periods of the information we hold

We only keep your information for as long as it is necessary to fulfil the purposes for which the personal information was collected. This includes for the purpose of meeting any legal, accounting or other reporting requirements or obligations. The NHS Scotland retention policy sets out the minimum retention timescales.

For SOAR, appraisal meeting details will be retained; but retention of appraisal documents and personal details are managed depending on your status on SOAR:

  • For those whose user account has been archived by the health board admin team for 18 months – a notification of data removal will be emailed to the user requesting that they login to download all necessary documents. At 24 months, SOAR will auto delete the contact, login details and past appraisal supporting information.
  • For those who have a live account but not logged in to SOAR for 18 months – a notification of data removal will be emailed to the user requesting that if they are still using SOAR for their appraisal, to login to review their details; otherwise SOAR will automatically archive their account.
  • For those who have a live account, 3 years after the last revalidated date, SOAR will send out an email notification – along with a link to download all of that revalidation cycle’s documents (submitted forms 1-3 and uploaded docs, and Form 4s) – requesting the user to download their information before we proceed to delete. 12 months after this, SOAR will automate the delete of completed appraisal forms and documents in the previous revalidation cycle. (This means that SOAR will retain a given revalidation cycle (5 years) worth of information for 4 years).

Security of your Information

We take our duty to protect your personal information and confidentiality very seriously and we are committed to taking reasonable measures to ensure the confidentiality and security of personal data for which we are responsible for.

All NES staff are required to undertake annual information governance training and to be familiar with information governance policies and procedures.

Your rights regarding your personal data

You have the following rights in regard to your personal data:

  • The right to informed of why we are collecting/holding data about you and how that data will be used;
  • The right to access the data we hold about you;
  • The right to have the data we hold about you rectified if it is inaccurate or incomplete;
  • The right to have your personal data erased and to prevent processing in specific conditions;
  • The right to restrict the processing of your data;
  • The right to obtain and reuse your personal data for your own purpose across different services;
  • The right to object to the processing of your data based on legitimate interests of NES, direct marketing or for the purposes of scientific/historical research and statistics;
  • The right not to be subject to a decision based on automated processing.

How to access your personal data?

You have the right to access the information which NES holds about you, and why, subject to any exemptions using a Subject Access Request. Requests must be made in writing and you will need to provide:

  • Adequate information [for example full name, address, date of birth, staff number etc] so that your identity can be verified and your personal data located.
  • An indication of what information you are requesting to enable us to locate this in an efficient manner.

You should send your request to the Information Governance Team. Contact details can be found below.

We will aim to comply with requests for access to personal data as quickly as possible. We will ensure that we deal with requests within 30 days of receipt unless there is a reason for delay that is justifiable.

Complaints about how we process your personal data

In the first instance, you should contact the Information Governance Team – contact details can be found below.

NES is a 'data controller' under the Data Protection Act. We have notified the Information Commissioner that we process personal data and our registration number is: Z7921413

The details are publicly available from the: -

Information Commissioner’s Officer
Wycliffe House
Water Lane
Wilmslow SK9 5AF

www.ico.gov.uk

How to contact us

Email: foidp@nes.scot.nhs.uk

Data Protection Officer
Westport 102
West Port
Edinburgh EH3 9DN



This page was last updated on: 22/05/2018